diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index 224abb8ddd..82a24ff791 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -524,6 +524,10 @@ "master": [ "Publish", "Pdf" + ], + "atp-api-danm": [ + "Publish", + "Pdf" ] }, "need_generate_pdf_url_template": true, diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index d70475efaa..78189003c5 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -5351,6 +5351,11 @@ "redirect_document_id": true }, { +"source_path": "windows/client-management/mdm/policy-csp-location.md", +"redirect_url": "/windows/client-management/mdm/policy-configuration-service-provider", +"redirect_document_id": false +}, +{ "source_path": "windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md", "redirect_url": "/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune", "redirect_document_id": false @@ -5416,6 +5421,11 @@ "redirect_document_id": true }, { +"source_path": "devices/surface/manage-surface-dock-firmware-updates.md", +"redirect_url": "devices/surface/update", +"redirect_document_id": true +}, +{ "source_path": "devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md", "redirect_url": "/surface-hub/finishing-your-surface-hub-meeting", "redirect_document_id": true @@ -13879,6 +13889,11 @@ "source_path": "education/windows/windows-automatic-redeployment.md", "redirect_url": "/education/windows/autopilot-reset", "redirect_document_id": true +}, +{ +"source_path": "windows/privacy/manage-windows-endpoints.md", +"redirect_url": "/windows/privacy/manage-windows-1809-endpoints", +"redirect_document_id": true } ] } diff --git a/README.md [FRENCH] b/README.md [FRENCH] deleted file mode 100644 index 01059ee91d..0000000000 --- a/README.md [FRENCH] +++ /dev/null @@ -1,26 +0,0 @@ -## Microsoft Open Source Code of Conduct - -This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). -For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments. - -# Windows IT professional documentation - -Welcome! This repository houses the docs that are written for IT professionals for the following products: - -- [Windows 10](https://technet.microsoft.com/itpro/windows) -- [Internet Explorer 11](https://technet.microsoft.com/itpro/internet-explorer) -- [Microsoft Edge](https://technet.microsoft.com/itpro/microsoft-edge) -- [Surface](https://technet.microsoft.com/itpro/surface) -- [Surface Hub](https://technet.microsoft.com/itpro/surface-hub) -- [Windows 10 for Education](https://technet.microsoft.com/edu/windows) -- [HoloLens](https://technet.microsoft.com/itpro/hololens) -- [Microsoft Desktop Optimization Pack](https://technet.microsoft.com/itpro/mdop) - -## Contributing - -We actively merge contributions into this repository via [pull request](https://help.github.com/articles/using-pull-requests/) into the *master* branch. -If you are not a Microsoft employee, before you submit a pull request you must [sign a Contribution License Agreement](https://cla.microsoft.com/) to ensure that the community is free to use your submissions. -For more information on contributing, read our [contributions guide](CONTRIBUTING.md). - - -This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). For more information, see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments. diff --git a/[!NOTE] b/[!NOTE] deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/browsers/edge/about-microsoft-edge.md b/browsers/edge/about-microsoft-edge.md index e39d63f4e2..deef9f2c1a 100644 --- a/browsers/edge/about-microsoft-edge.md +++ b/browsers/edge/about-microsoft-edge.md @@ -5,6 +5,7 @@ ms.assetid: 70377735-b2f9-4b0b-9658-4cf7c1d745bb author: shortpatti ms.prod: edge ms.mktglfcycl: general +ms.topic: reference ms.sitesec: library title: Microsoft Edge for IT Pros ms.localizationpriority: medium diff --git a/browsers/edge/available-policies.md b/browsers/edge/available-policies.md index b8ec0bc1ec..e62e7d861d 100644 --- a/browsers/edge/available-policies.md +++ b/browsers/edge/available-policies.md @@ -6,10 +6,11 @@ ms.author: pashort manager: dougkim ms.prod: edge ms.mktglfcycl: explore +ms.topic: reference ms.sitesec: library title: Group Policy and Mobile Device Management settings for Microsoft Edge (Microsoft Edge for IT Pros) ms.localizationpriority: medium -ms.date: 10/02/2018 +ms.date: 10/29/2018 --- # Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge diff --git a/browsers/edge/change-history-for-microsoft-edge.md b/browsers/edge/change-history-for-microsoft-edge.md index 3b39c63a9c..6d86a32508 100644 --- a/browsers/edge/change-history-for-microsoft-edge.md +++ b/browsers/edge/change-history-for-microsoft-edge.md @@ -2,6 +2,7 @@ title: Change history for Microsoft Edge (Microsoft Edge for IT Pros) description: Discover what's new and updated in the Microsoft Edge for both Windows 10 and Windows 10 Mobile. ms.prod: edge +ms.topic: reference ms.mktglfcycl: explore ms.sitesec: library ms.localizationpriority: medium diff --git a/browsers/edge/emie-to-improve-compatibility.md b/browsers/edge/emie-to-improve-compatibility.md index 0c9c246104..5fa2461985 100644 --- a/browsers/edge/emie-to-improve-compatibility.md +++ b/browsers/edge/emie-to-improve-compatibility.md @@ -5,11 +5,12 @@ author: shortpatti ms.author: pashort ms.manager: dougkim ms.prod: browser-edge +ms.topic: reference ms.mktglfcycl: support ms.sitesec: library ms.pagetype: appcompat title: Use Enterprise Mode to improve compatibility (Microsoft Edge for IT Pros) -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 10/24/2018 --- diff --git a/browsers/edge/group-policies/address-bar-settings-gp.md b/browsers/edge/group-policies/address-bar-settings-gp.md index da3686718d..b8b82b3882 100644 --- a/browsers/edge/group-policies/address-bar-settings-gp.md +++ b/browsers/edge/group-policies/address-bar-settings-gp.md @@ -8,7 +8,7 @@ manager: dougkim author: shortpatti ms.author: pashort ms.date: 10/02/2018 -ms.topic: article +ms.topic: reference ms.prod: edge ms.mktglfcycl: explore ms.sitesec: library diff --git a/browsers/edge/group-policies/adobe-settings-gp.md b/browsers/edge/group-policies/adobe-settings-gp.md index a5bcbb0ea4..3ad76e0397 100644 --- a/browsers/edge/group-policies/adobe-settings-gp.md +++ b/browsers/edge/group-policies/adobe-settings-gp.md @@ -8,7 +8,7 @@ manager: dougkim author: shortpatti ms.author: pashort ms.date: 10/02/2018 -ms.topic: article +ms.topic: reference ms.prod: edge ms.mktglfcycl: explore ms.sitesec: library diff --git a/browsers/edge/group-policies/books-library-management-gp.md b/browsers/edge/group-policies/books-library-management-gp.md index 2fc892d73b..d2e9d6ea91 100644 --- a/browsers/edge/group-policies/books-library-management-gp.md +++ b/browsers/edge/group-policies/books-library-management-gp.md @@ -8,7 +8,7 @@ manager: dougkim author: shortpatti ms.author: pashort ms.date: 10/02/2018 -ms.topic: article +ms.topic: reference ms.prod: edge ms.mktglfcycl: explore ms.sitesec: library diff --git a/browsers/edge/group-policies/browser-settings-management-gp.md b/browsers/edge/group-policies/browser-settings-management-gp.md index 4cd1c73ad2..2570cc3c69 100644 --- a/browsers/edge/group-policies/browser-settings-management-gp.md +++ b/browsers/edge/group-policies/browser-settings-management-gp.md @@ -8,7 +8,7 @@ manager: dougkim author: shortpatti ms.author: pashort ms.date: 10/02/2018 -ms.topic: article +ms.topic: reference ms.prod: edge ms.mktglfcycl: explore ms.sitesec: library diff --git a/browsers/edge/group-policies/developer-settings-gp.md b/browsers/edge/group-policies/developer-settings-gp.md index 4e2e437372..ca4870ac95 100644 --- a/browsers/edge/group-policies/developer-settings-gp.md +++ b/browsers/edge/group-policies/developer-settings-gp.md @@ -8,7 +8,7 @@ managre: dougkim author: shortpatti ms.author: pashort ms.date: 10/02/2018 -ms.topic: article +ms.topic: reference ms.prod: edge ms.mktglfcycl: explore ms.sitesec: library diff --git a/browsers/edge/group-policies/extensions-management-gp.md b/browsers/edge/group-policies/extensions-management-gp.md index 577d254742..3a7fc2dfe5 100644 --- a/browsers/edge/group-policies/extensions-management-gp.md +++ b/browsers/edge/group-policies/extensions-management-gp.md @@ -8,7 +8,7 @@ manager: dougkim author: shortpatti ms.author: pashort ms.date: 10/02/2018 -ms.topic: article +ms.topic: reference ms.prod: edge ms.mktglfcycl: explore ms.sitesec: library diff --git a/browsers/edge/group-policies/favorites-management-gp.md b/browsers/edge/group-policies/favorites-management-gp.md index 4dcf0faf29..13c415afdf 100644 --- a/browsers/edge/group-policies/favorites-management-gp.md +++ b/browsers/edge/group-policies/favorites-management-gp.md @@ -8,7 +8,7 @@ manager: dougkim author: shortpatti ms.author: pashort ms.date: 10/02/2018 -ms.topic: article +ms.topic: reference ms.prod: edge ms.mktglfcycl: explore ms.sitesec: library diff --git a/browsers/edge/group-policies/home-button-gp.md b/browsers/edge/group-policies/home-button-gp.md index a4bac9dd9a..3f22c2897d 100644 --- a/browsers/edge/group-policies/home-button-gp.md +++ b/browsers/edge/group-policies/home-button-gp.md @@ -9,6 +9,7 @@ ms.localizationpriority: medium ms.prod: edge ms.mktglfcycl: explore ms.sitesec: library +ms.topic: reference --- # Home button diff --git a/browsers/edge/group-policies/interoperability-enterprise-guidance-gp.md b/browsers/edge/group-policies/interoperability-enterprise-guidance-gp.md index d053b89a43..9e39200fe0 100644 --- a/browsers/edge/group-policies/interoperability-enterprise-guidance-gp.md +++ b/browsers/edge/group-policies/interoperability-enterprise-guidance-gp.md @@ -9,6 +9,7 @@ ms.date: 10/02/2018 ms.prod: edge ms.mktglfcycl: explore ms.sitesec: library +ms.topic: reference --- # Interoperability and enterprise mode guidance diff --git a/browsers/edge/group-policies/new-tab-page-settings-gp.md b/browsers/edge/group-policies/new-tab-page-settings-gp.md index 6d6ba06617..b18871a3e6 100644 --- a/browsers/edge/group-policies/new-tab-page-settings-gp.md +++ b/browsers/edge/group-policies/new-tab-page-settings-gp.md @@ -9,6 +9,7 @@ ms.localizationpriority: medium ms.prod: edge ms.mktglfcycl: explore ms.sitesec: library +ms.topic: reference --- diff --git a/browsers/edge/group-policies/prelaunch-preload-gp.md b/browsers/edge/group-policies/prelaunch-preload-gp.md index eae661d455..8baa1858bb 100644 --- a/browsers/edge/group-policies/prelaunch-preload-gp.md +++ b/browsers/edge/group-policies/prelaunch-preload-gp.md @@ -6,6 +6,7 @@ ms.author: pashort author: shortpatti ms.date: 10/02/2018 ms.localizationpriority: medium +ms.topic: reference --- # Prelaunch Microsoft Edge and preload tabs in the background @@ -18,7 +19,7 @@ Additionally, Microsoft Edge preloads the Start and New Tab pages during Windows ## Relevant group policies - [Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed](#allow-microsoft-edge-to-pre-launch-at-windows-startup-when-the-system-is-idle-and-each-time-microsoft-edge-is-closed) -- [Allow Microsoft Edge to load the Start and New Tab page at Windows startup and each time Microsoft Edge is closed](#allow-microsoft-edge-to-start-and-load-the-start-and-new-tab-page-at-windows-startup-and-each-time-microsoft-edge-is-closed) +- [Allow Microsoft Edge to load the Start and New Tab page at Windows startup and each time Microsoft Edge is closed](#allow-microsoft-edge-to-load-the-start-and-new-tab-page-at-windows-startup-and-each-time-microsoft-edge-is-closed) You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: diff --git a/browsers/edge/group-policies/search-engine-customization-gp.md b/browsers/edge/group-policies/search-engine-customization-gp.md index 75d3d2b070..75677a0ec8 100644 --- a/browsers/edge/group-policies/search-engine-customization-gp.md +++ b/browsers/edge/group-policies/search-engine-customization-gp.md @@ -6,6 +6,7 @@ ms.author: pashort author: shortpatti ms.date: 10/02/2018 ms.localizationpriority: medium +ms.topic: reference --- # Search engine customization diff --git a/browsers/edge/group-policies/security-privacy-management-gp.md b/browsers/edge/group-policies/security-privacy-management-gp.md index 100feaa54d..cf137c8439 100644 --- a/browsers/edge/group-policies/security-privacy-management-gp.md +++ b/browsers/edge/group-policies/security-privacy-management-gp.md @@ -6,6 +6,7 @@ ms.author: pashort author: shortpatti ms.date: 10/02/2018 ms.localizationpriority: medium +ms.topic: reference --- # Security and privacy @@ -57,12 +58,12 @@ Microsoft Edge addresses these threats to help make browsing the web a safer exp | Feature | Description | |---|---| -| **[Windows Hello](http://blogs.windows.com/bloggingwindows/2015/03/17/making-windows-10-more-personal-and-more-secure-with-windows-hello/)** | Microsoft Edge is the first browser to natively support Windows Hello to authenticate the user and the website with asymmetric cryptography technology, powered by early implementation of the [Web Authentication (formerly FIDO 2.0 Web API) specification](http://w3c.github.io/webauthn/). | +| **[Windows Hello](https://blogs.windows.com/bloggingwindows/2015/03/17/making-windows-10-more-personal-and-more-secure-with-windows-hello/)** | Microsoft Edge is the first browser to natively support Windows Hello to authenticate the user and the website with asymmetric cryptography technology, powered by early implementation of the [Web Authentication (formerly FIDO 2.0 Web API) specification](https://w3c.github.io/webauthn/). | | **Microsoft SmartScreen** | Defends against phishing by performing reputation checks on sites visited and blocking any sites that are thought to be a phishing site. SmartScreen also helps to defend against installing malicious software, drive-by attacks, or file downloads, even from trusted sites. Drive-by attacks are malicious web-based attacks that compromise your system by targeting security vulnerabilities in commonly used software and may be hosted on trusted sites. | | **Certificate Reputation system** | Collects data about certificates in use, detecting new certificates and flagging fraudulent certificates automatically, and sends the data to Microsoft. The systems and tools in place include | | **Microsoft EdgeHTML and modern web standards** | Microsoft Edge uses Microsoft EdgeHTML as the rendering engine. This engine focuses on modern standards letting web developers build and maintain a consistent site across all modern browsers. It also helps to defend against hacking through these security standards features:

**NOTE:** Both Microsoft Edge and Internet Explorer 11 support HSTS. | | **Code integrity and image loading restrictions** | Microsoft Edge content processes support code integrity and image load restrictions, helping to prevent malicious DLLs from loading or injecting into the content processes. Only [properly signed images](https://blogs.windows.com/msedgedev/2015/11/17/microsoft-edge-module-code-integrity/) are allowed to load into Microsoft Edge. Binaries on remote devices (such as UNC or WebDAV) can’t load. | -| **Memory corruption mitigations** | Memory corruption attacks frequently happen to apps written in C or C++ don’t provide safety or buffer overflow protection. When an attacker provides malformed input to a program, the program’s memory becomes corrupt allowing the attacker to take control of the program. Although attackers have adapted and invented new ways to attack, we’ve responded with memory safety defenses, mitigating the most common forms of attack, including and especially [use-after-free (UAF)](http://cwe.mitre.org/data/definitions/416.html) vulnerabilities. | +| **Memory corruption mitigations** | Memory corruption attacks frequently happen to apps written in C or C++ don’t provide safety or buffer overflow protection. When an attacker provides malformed input to a program, the program’s memory becomes corrupt allowing the attacker to take control of the program. Although attackers have adapted and invented new ways to attack, we’ve responded with memory safety defenses, mitigating the most common forms of attack, including and especially [use-after-free (UAF)](https://cwe.mitre.org/data/definitions/416.html) vulnerabilities. | | **Memory Garbage Collector (MemGC) mitigation** | MemGC replaces Memory Protector and helps to protect the browser from UAF vulnerabilities. MemGC frees up memory from the programmer and automating it. Only freeing memory when the automation detects no references left pointing to a given block of memory. | | **Control Flow Guard** | Attackers use memory corruption attacks to gain control of the CPU program counter to jump to any code location they want. Control Flow Guard, a Microsoft Visual Studio technology, compiles checks around code that performs indirect jumps based on a pointer. Those jumps get restricted to function entry points with known addresses only making attacker take-overs must more difficult constraining where an attack jumps. | | **All web content runs in an app container sandbox** |Microsoft Edge takes the sandbox even farther, running its content processes in containers not just by default, but all of the time. Microsoft Edge doesn’t support 3rd party binary extensions, so there is no reason for it to run outside of the container, making Microsoft Edge more secure. | diff --git a/browsers/edge/group-policies/start-pages-gp.md b/browsers/edge/group-policies/start-pages-gp.md index 8aded2af76..55df08e642 100644 --- a/browsers/edge/group-policies/start-pages-gp.md +++ b/browsers/edge/group-policies/start-pages-gp.md @@ -9,6 +9,7 @@ ms.date: 10/02/2018 ms.prod: edge ms.mktglfcycl: explore ms.sitesec: library +ms.topic: reference --- # Start pages diff --git a/browsers/edge/group-policies/sync-browser-settings-gp.md b/browsers/edge/group-policies/sync-browser-settings-gp.md index 19670fa3e2..aac83e87ca 100644 --- a/browsers/edge/group-policies/sync-browser-settings-gp.md +++ b/browsers/edge/group-policies/sync-browser-settings-gp.md @@ -6,6 +6,7 @@ ms.author: pashort author: shortpatti ms.date: 10/02/2018 ms.localizationpriority: medium +ms.topic: reference --- # Sync browser settings diff --git a/browsers/edge/group-policies/telemetry-management-gp.md b/browsers/edge/group-policies/telemetry-management-gp.md index 446721b2a4..c83cd2848c 100644 --- a/browsers/edge/group-policies/telemetry-management-gp.md +++ b/browsers/edge/group-policies/telemetry-management-gp.md @@ -6,6 +6,7 @@ ms.author: pashort author: shortpatti ms.date: 10/02/2018 ms.localizationpriority: medium +ms.topic: reference --- # Telemetry and data collection diff --git a/browsers/edge/images/Picture1-sm.png b/browsers/edge/images/Picture1-sm.png new file mode 100644 index 0000000000..e5dddbd698 Binary files /dev/null and b/browsers/edge/images/Picture1-sm.png differ diff --git a/browsers/edge/images/Picture1.png b/browsers/edge/images/Picture1.png new file mode 100644 index 0000000000..a7cd8ea4a0 Binary files /dev/null and b/browsers/edge/images/Picture1.png differ diff --git a/browsers/edge/images/Picture2-sm.png b/browsers/edge/images/Picture2-sm.png new file mode 100644 index 0000000000..ad6cebca98 Binary files /dev/null and b/browsers/edge/images/Picture2-sm.png differ diff --git a/browsers/edge/images/Picture2.png b/browsers/edge/images/Picture2.png new file mode 100644 index 0000000000..665e3d2578 Binary files /dev/null and b/browsers/edge/images/Picture2.png differ diff --git a/browsers/edge/images/Picture5-sm.png b/browsers/edge/images/Picture5-sm.png new file mode 100644 index 0000000000..705fcecdd3 Binary files /dev/null and b/browsers/edge/images/Picture5-sm.png differ diff --git a/browsers/edge/images/Picture5.png b/browsers/edge/images/Picture5.png new file mode 100644 index 0000000000..9e11775911 Binary files /dev/null and b/browsers/edge/images/Picture5.png differ diff --git a/browsers/edge/images/Picture6-sm.png b/browsers/edge/images/Picture6-sm.png new file mode 100644 index 0000000000..1b020cf8fb Binary files /dev/null and b/browsers/edge/images/Picture6-sm.png differ diff --git a/browsers/edge/images/Picture6.png b/browsers/edge/images/Picture6.png new file mode 100644 index 0000000000..b5d9d8401d Binary files /dev/null and b/browsers/edge/images/Picture6.png differ diff --git a/browsers/edge/images/allow-shared-books-folder.png b/browsers/edge/images/allow-shared-books-folder.png deleted file mode 100644 index 84465f886e..0000000000 Binary files a/browsers/edge/images/allow-shared-books-folder.png and /dev/null differ diff --git a/browsers/edge/images/home-buttom-custom-url-v4.png b/browsers/edge/images/home-buttom-custom-url-v4.png deleted file mode 100644 index edc22f0ce2..0000000000 Binary files a/browsers/edge/images/home-buttom-custom-url-v4.png and /dev/null differ diff --git a/browsers/edge/images/microsoft-edge-kiosk-mode.png b/browsers/edge/images/microsoft-edge-kiosk-mode.png deleted file mode 100644 index c012affb90..0000000000 Binary files a/browsers/edge/images/microsoft-edge-kiosk-mode.png and /dev/null differ diff --git a/browsers/edge/images/surface_hub_multi-app_kiosk_inframe.png b/browsers/edge/images/surface_hub_multi-app_kiosk_inframe.png deleted file mode 100644 index b32638a4bc..0000000000 Binary files a/browsers/edge/images/surface_hub_multi-app_kiosk_inframe.png and /dev/null differ diff --git a/browsers/edge/images/surface_hub_multi-app_normal_kiosk_inframe.png b/browsers/edge/images/surface_hub_multi-app_normal_kiosk_inframe.png deleted file mode 100644 index fb787943a9..0000000000 Binary files a/browsers/edge/images/surface_hub_multi-app_normal_kiosk_inframe.png and /dev/null differ diff --git a/browsers/edge/images/surface_hub_single-app_browse_kiosk_inframe.png b/browsers/edge/images/surface_hub_single-app_browse_kiosk_inframe.png deleted file mode 100644 index 8b9618e502..0000000000 Binary files a/browsers/edge/images/surface_hub_single-app_browse_kiosk_inframe.png and /dev/null differ diff --git a/browsers/edge/includes/allow-web-content-new-tab-page-include.md b/browsers/edge/includes/allow-web-content-new-tab-page-include.md index 2e00444969..cdd5bb2adc 100644 --- a/browsers/edge/includes/allow-web-content-new-tab-page-include.md +++ b/browsers/edge/includes/allow-web-content-new-tab-page-include.md @@ -1,14 +1,14 @@ --- author: shortpatti ms.author: pashort -ms.date: 10/02/2018 +ms.date: 11/02/2018 ms.prod: edge ms:topic: include --- >*Supported versions: Microsoft Edge on Windows 10*
->*Default setting: Enabled (Default New Tab page loads)* +>*Default setting: Enabled (the default New Tab page loads)* [!INCLUDE [allow-web-content-on-new-tab-page-shortdesc](../shortdesc/allow-web-content-on-new-tab-page-shortdesc.md)] @@ -18,9 +18,8 @@ ms:topic: include |Group Policy |MDM |Registry |Description | |---|:---:|:---:|---| -|Not configured |Blank |Blank |Users can choose what loads on the New Tab page. | -|Disabled |0 |0 |Load a blank page instead of the default New Tab page and prevent users from changing it. | -|Enabled **(default)** |1 |1 |Load the default New Tab page. | +|Disabled |0 |0 |Load a blank page instead of the default New Tab page and prevent users from making changes. | +|Enabled or not configured **(default)** |1 |1 |Load the default New Tab page and the users make changes. | --- ### ADMX info and settings diff --git a/browsers/edge/includes/configure-kiosk-mode-supported-values-include.md b/browsers/edge/includes/configure-kiosk-mode-supported-values-include.md new file mode 100644 index 0000000000..98e3d163d0 --- /dev/null +++ b/browsers/edge/includes/configure-kiosk-mode-supported-values-include.md @@ -0,0 +1,13 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/27/2018 +ms.prod: edge +ms:topic: include +--- + +| | | +|---|---| +| **Single-app**

![thumbnail](../images/Picture1-sm.png)

**Digital/interactive signage**

Displays a specific site in full-screen mode, running Microsoft Edge InPrivate protecting user data.

**Policy setting** = Not configured (0 default)

|

 

![thumbnail](../images/Picture2-sm.png)

**Public browsing**

Runs a limited multi-tab version of Microsoft Edge, protecting user data. Microsoft Edge is the only app users can use on the device, preventing them from customizing Microsoft Edge. Users can only browse publically or end their browsing session.

The single-app public browsing mode is the only kiosk mode that has an **End session** button. Microsoft Edge also resets the session after a specified time of user inactivity. Both restart Microsoft Edge and clear the user’s session.

_**Example.**_ A public library or hotel concierge desk are two examples of public browsing that provides access to Microsoft Edge and other apps.

**Policy setting** = Enabled (1) | +| **Multi-app**

![thumbnail](../images/Picture5-sm.png)

**Normal browsing**

Runs a full-version of Microsoft Edge with all browsing features and preserves the user data and state between sessions.

Some features may not work depending on what other apps you have configured in assigned access. For example, installing extensions or books from the Microsoft store are not allowed if the store is not available. Also, if Internet Explorer 11 is set up in assigned access, you can enable [EnterpriseModeSiteList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-enterprisemodesitelist) to automatically switch users to Internet Explorer 11 for sites that need backward compatibility support.

**Policy setting** = Not configured (0 default) |

 

![thumbnail](../images/Picture6-sm.png)

**Public browsing**

Runs a multi-tab version of Microsoft Edge InPrivate with a tailored experience for kiosks that runs in full-screen mode. Users can open and close Microsoft Edge and launch other apps if allowed by assigned access. Instead of an End session button to clear their browsing session, the user closes Microsoft Edge normally.

In this configuration, Microsoft Edge can interact with other applications. For example, if Internet Explorer 11 is set up in multi-app assigned access, you can enable [EnterpriseModeSiteList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-enterprisemodesitelist) to automatically switch users to Internet Explorer 11 for sites that need backward compatibility support.

_**Example.**_ A public library or hotel concierge desk are two examples of public browsing that provides access to Microsoft Edge and other apps.

**Policy setting** = Enabled (1) | +--- \ No newline at end of file diff --git a/browsers/edge/includes/configure-microsoft-edge-kiosk-mode-include.md b/browsers/edge/includes/configure-microsoft-edge-kiosk-mode-include.md index 2d0a9fade3..197b2c1f1a 100644 --- a/browsers/edge/includes/configure-microsoft-edge-kiosk-mode-include.md +++ b/browsers/edge/includes/configure-microsoft-edge-kiosk-mode-include.md @@ -1,7 +1,7 @@ --- author: shortpatti ms.author: pashort -ms.date: 10/02/2018 +ms.date: 10/27/2018 ms.prod: edge ms:topic: include --- @@ -17,13 +17,8 @@ For this policy to work, you must configure Microsoft Edge in assigned access; o ### Supported values -| | | -|---|---| -|(0) Default or not configured |

| -|(1) Enabled | | ---- +[!INCLUDE [configure-kiosk-mode-supported-values-include](configure-kiosk-mode-supported-values-include.md)] -![Microsoft Edge kiosk experience](../images/microsoft-edge-kiosk-mode.png) ### ADMX info and settings #### ADMX info diff --git a/browsers/edge/includes/provision-favorites-include.md b/browsers/edge/includes/provision-favorites-include.md index efd553631f..a67f33444b 100644 --- a/browsers/edge/includes/provision-favorites-include.md +++ b/browsers/edge/includes/provision-favorites-include.md @@ -21,7 +21,7 @@ ms:topic: include |Group Policy |Description |Most restricted | |---|---|:---:| |Disabled or not configured
**(default)** |Users can customize the favorites list, such as adding folders, or adding and removing favorites. | | -|Enabled |Define a default list of favorites in Microsoft Edge. In this case, the Save a Favorite, Import settings, and context menu options (such as Create a new folder) are turned off.

To define a default list of favorites, do the following:

  1. In the upper-right corner of Microsoft Edge, click the ellipses (**...**) and select **Settings**.
  2. Click **Import from another browser**, click **Export to file** and save the file.
  3. In the **Options** section of the Group Policy Editor, provide the location that points the file with the list of favorites to provision. Specify the URL as:
|![Most restricted value](../images/check-gn.png) | +|Enabled |Define a default list of favorites in Microsoft Edge. In this case, the Save a Favorite, Import settings, and context menu options (such as Create a new folder) are turned off.

To define a default list of favorites, do the following:

  1. In the upper-right corner of Microsoft Edge, click the ellipses (**...**) and select **Settings**.
  2. Click **Import from another browser**, click **Export to file** and save the file.
  3. In the **Options** section of the Group Policy Editor, provide the location that points the file with the list of favorites to provision. Specify the URL as:
|![Most restricted value](../images/check-gn.png) | --- ### ADMX info and settings diff --git a/browsers/edge/index.yml b/browsers/edge/index.yml index 1f1fbb33ed..9550d5d1d2 100644 --- a/browsers/edge/index.yml +++ b/browsers/edge/index.yml @@ -16,7 +16,7 @@ metadata: keywords: Microsoft Edge, Windows 10 - ms.localizationpriority: high + ms.localizationpriority: medium author: shortpatti @@ -122,10 +122,10 @@ sections: - title: Microsoft Edge resources - html:

Minimum system requirements

+ html:

Minimum system requirements

-

Supported languages

- +

Supported languages

+

Document change history

Compare Windows 10 Editions

diff --git a/browsers/edge/managing-group-policy-admx-files.md b/browsers/edge/managing-group-policy-admx-files.md new file mode 100644 index 0000000000..2f76d6a665 --- /dev/null +++ b/browsers/edge/managing-group-policy-admx-files.md @@ -0,0 +1,24 @@ +--- +title: Managing group policy ADMX files +description: Learn how to centrally administer and incorporate ADMX files when editing the administrative template policy settings inside a local or domain-based Group Policy object. +ms.assetid: +author: shortpatti +ms.author: pashort +ms.prod: edge +ms.sitesec: library +ms.localizationpriority: medium +ms.date: 10/19/2018 +--- + +# Managing group policy ADMX files + +>Applies to: Microsoft Edge on Windows 10 + +ADMX files, which are registry-based policy settings provide an XML-based structure for defining the display of the Administrative Template policy settings in the Group Policy Object Editor. The ADMX files replace ADM files, which used a different markup language. + +>[!NOTE] +>The administrative tools you use—Group Policy Object Editor and Group Policy Management Console—remain mostly unchanged. In the majority of situations, you won’t notice the presence of ADMX files during your day-to-day Group Policy administration tasks. + +Unlike ADM files, ADMX files are not stored in individual GPOs by default; however, this behavior supports less common scenarios. For domain-based enterprises, you can create a central store location of ADMX files accessible by anyone with permission to create or edit GPOs. Group Policy tools continue to recognize other earlier ADM files you have in your existing environment. The Group Policy Object Editor automatically reads and displays Administrative Template policy settings from both the ADMX and ADM files. + +Some situations require a better understanding of how ADMX files are structured and the location of the files. In this article, we show you how ADMX files are incorporated when editing Administrative Template policy settings in a local or domain-based Group Policy object (GPO). diff --git a/browsers/edge/microsoft-edge-faq.md b/browsers/edge/microsoft-edge-faq.md index 432331677d..f989f0e5c8 100644 --- a/browsers/edge/microsoft-edge-faq.md +++ b/browsers/edge/microsoft-edge-faq.md @@ -4,10 +4,11 @@ description: Answers to frequently asked questions about Microsoft Edge features author: shortpatti ms.author: pashort ms.prod: edge +ms.topic: reference ms.mktglfcycl: general ms.sitesec: library ms.localizationpriority: medium -ms.date: 10/23/2018 +ms.date: 11/05/2018 --- # Frequently Asked Questions (FAQs) for IT Pros @@ -32,7 +33,7 @@ For more information on how Internet Explorer and Microsoft Edge can work togeth **Q: Does Microsoft Edge work with Enterprise Mode?** -**A:** [Enterprise Mode](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11) offers better backward compatibility and enables customers to run many legacy web applications. Microsoft Edge and Internet Explorer can be configured to use the same Enterprise Mode Site List, switching seamlessly between browsers to support both modern and legacy web apps. For guidance and additional resources, please visit the [Microsoft Edge IT Center](https://technet.microsoft.com/microsoft-edge). +**A:** [Enterprise Mode](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11) offers better backward compatibility and enables customers to run many legacy web applications. Microsoft Edge and Internet Explorer can be configured to use the same Enterprise Mode Site List, switching seamlessly between browsers to support both modern and legacy web apps. **Q: I have Windows 10, but I don’t seem to have Microsoft Edge. Why?** @@ -41,7 +42,7 @@ For more information on how Internet Explorer and Microsoft Edge can work togeth **Q: How do I get the latest Canary/Beta/Preview version of Microsoft Edge?** -**A:** You can access the latest preview version of Microsoft Edge by updating to the latest Windows 10 preview via the [Windows Insider Program](https://insider.windows.com/). To run the preview version of Microsoft Edge on a stable version of Windows 10 (or any other OS), you can download a [Virtual Machine](https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/windows/) that we provide or use the upcoming RemoteEdge service. +**A:** You can access the latest preview version of Microsoft Edge by updating to the latest Windows 10 preview via the [Windows Insider Program](https://insider.windows.com/). To run the preview version of Microsoft Edge on a stable version of Windows 10 (or any other OS), you can download a [Virtual Machine](https://developer.microsoft.com/microsoft-edge/tools/vms/windows/) that we provide or use the upcoming RemoteEdge service. **Q: How do I customize Microsoft Edge and related settings for my organization?** @@ -49,7 +50,9 @@ For more information on how Internet Explorer and Microsoft Edge can work togeth **Q: Is Adobe Flash supported in Microsoft Edge?** -**A:** Currently, Adobe Flash is supported as a built-in feature of Microsoft Edge on devices running the desktop version of Windows 10. In July 2017, Adobe announced that Flash will no longer be supported after 2020. With Adobe no longer supporting Flash after 2020, Microsoft has started to phase out Flash from Microsoft Edge by adding the [Configure the Adobe Flash Click-to-Run setting](#configure-the-adobe-flash-click-to-run-setting) group policy giving you a way to control the list of websites that have permission to run Adobe Flash content. +**A:** Currently, Adobe Flash is supported as a built-in feature of Microsoft Edge on devices running the desktop version of Windows 10. In July 2017, Adobe announced that Flash will no longer be supported after 2020. With Adobe no longer supporting Flash after 2020, Microsoft has started to phase out Flash from Microsoft Edge by adding the [Configure the Adobe Flash Click-to-Run setting](available-policies.md#configure-the-adobe-flash-click-to-run-setting) group policy giving you a way to control the list of websites that have permission to run Adobe Flash content. + + To learn more about Microsoft’s plan for phasing out Flash from Microsoft Edge and Internet Explorer, see [The End of an Era — Next Steps for Adobe Flash]( https://blogs.windows.com/msedgedev/2017/07/25/flash-on-windows-timeline/#3Bcc3QjRw0l7XsZ4.97) (blog article). diff --git a/browsers/edge/microsoft-edge-kiosk-mode-deploy.md b/browsers/edge/microsoft-edge-kiosk-mode-deploy.md index 68af8944b4..a8f34188e6 100644 --- a/browsers/edge/microsoft-edge-kiosk-mode-deploy.md +++ b/browsers/edge/microsoft-edge-kiosk-mode-deploy.md @@ -1,96 +1,92 @@ --- -description: Microsoft Edge kiosk mode works with assigned access to allow IT, administrators, to create a tailored browsing experience designed for kiosk devices. To use Microsoft Edge kiosk mode, you must configure Microsoft Edge as an application in assigned access. +title: Deploy Microsoft Edge kiosk mode +description: Microsoft Edge kiosk mode works with assigned access to allow IT admins to create a tailored browsing experience designed for kiosk devices. To use Microsoft Edge kiosk mode, you must configure Microsoft Edge as an application in assigned access. ms.assetid: author: shortpatti ms.author: pashort ms.prod: edge ms.sitesec: library -title: Deploy Microsoft Edge kiosk mode +ms.topic: get-started-article ms.localizationpriority: medium -ms.date: 10/25/2018 +ms.date: 10/29/2018 --- # Deploy Microsoft Edge kiosk mode ->Applies to: Microsoft Edge on Windows 10, version 1809 +>Applies to: Microsoft Edge on Windows 10, version 1809 +>Professional, Enterprise, and Education -In the Windows 10 October 2018 Update, we added the capability to use Microsoft Edge as a kiosk using [assigned access](https://docs.microsoft.com/windows-hardware/customize/enterprise/assigned-access) and added new policies to enhance the kiosk experience. With assigned access, IT admins can create a tailored browsing experience locking down a Windows 10 device to only run a single-app or multi-app kiosk device. It also prevents users from accessing the file system and running executables or other apps from Microsoft Edge. +In the Windows 10 October 2018 Update, we added the capability to use Microsoft Edge as a kiosk using assigned access. With assigned access, you create a tailored browsing experience locking down a Windows 10 device to only run as a single-app or multi-app kiosk. Assigned access restricts a local standard user account so that it only has access to one or more Windows app, such as Microsoft Edge in kiosk mode. -Microsoft Edge kiosk mode supports four configurations types that depend on how Microsoft Edge is set up with assigned access. These configuration types can help you determine what configuration is best suited for your kiosk device. For example, you can configure Microsoft Edge to load only a single URL in full-screen mode when you configure digital/interactive signage on a single-app kiosk device. Learn more about [Configuring kiosk and shared devices running Windows desktop editions](https://docs.microsoft.com/windows/configuration/kiosk-shared-pc). +In this topic, you learn how to configure the behavior of Microsoft Edge when it's running in kiosk mode with assigned access. You also learn how to set up your kiosk device using either Windows Setting or Microsoft Intune or other MDM service. -In addition to digital/interactive signage, you can configure Microsoft Edge kiosk mode for public browsing either on a single or multi-app kiosk device. The public browsing kiosk types run Microsoft Edge InPrivate mode to protect user data with a browsing experience designed for public kiosks. For example, the Microsoft Edge Settings are disabled, favorites, extensions, and books are unavailable to prevent users from customizing Microsoft Edge. - -In single-app public browsing, there is an “End session” button and reset after an idle timeout option. Both restart Microsoft Edge and clear the user’s session. The reset after the idle timer is set to 5 minutes by default, but you can choose a value of your own. +At the end of this topic, you can find a list of [supported policies](#supported-policies-for-kiosk-mode) for kiosk mode and a [feature comparison](#feature-comparison-of-kiosk-mode-and-kiosk-browser-app) of the kiosk mode policy and kiosk browser app. You also find instructions on how to provide us feedback or get support. -## Microsoft Edge kiosk types +## Kiosk mode configuration types -Microsoft Edge kiosk mode supports four configuration types that depending on how Microsoft Edge is set up with assigned access. Two for single-app kiosk devices (Digital/Interactive signage and Public browsing) and two for multi-app kiosk devices (Public browsing and Normal mode). +>**Policy** = Configure kiosk mode (ConfigureKioskMode) -### Single app +Microsoft Edge kiosk mode supports four configurations types that depend on how Microsoft Edge is set up with assigned access, either as a single-app or multi-app kiosk. These configuration types help you determine what is best suited for your kiosk device or scenario. -When you set up Microsoft Edge kiosk mode in single-app assigned access, Microsoft Edge runs InPrivate either in full-screen or a multi-tab version designed for public browsing. For more details about setting up a single-app kiosk, see [Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education](https://docs.microsoft.com/windows/configuration/setup-kiosk-digital-signage). +- Learn about [creating a kiosk experience](https://docs.microsoft.com/windows-hardware/customize/enterprise/create-a-kiosk-image) -The single-app Microsoft Edge kiosk mode types are: + - [Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education](https://docs.microsoft.com/windows/configuration/setup-kiosk-digital-signage) -1. **Digital / Interactive signage** devices display a specific site in full-screen mode that runs InPrivate browsing mode. + - [Create a Windows 10 kiosk that runs multiple apps](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps). - - **Digital signage** does not require user interaction and best used for a rotating advertisement or menu. +- Learn about configuring a more secure kiosk experience: [Other settings to lock down](https://docs.microsoft.com/windows/configuration/setup-kiosk-digital-signage#other-settings-to-lock-down). - - **Interactive signage**, on the other hand, requires user interaction within the page but doesn’t allow for any other uses, such as browsing the internet. Use interactive signage for things like a building business directory or restaurant order/pay station. -2. **Public browsing** runs Microsoft Edge InPrivate mode to protect user data with a browsing experience designed for publicly accessible kiosk devices. For example, the Microsoft Edge Settings are disabled, favorites, extensions, and books are unavailable to prevent users from customizing Microsoft Edge. Users can’t minimize, close or open a new Microsoft Window. Microsoft Edge is the only app users can use on the device.

The single-app public browsing mode is the only kiosk mode that has an ‘End session’ button that users click to end the browsing session and an idle timer that resets the session after a specified time of user inactivity. Both restart Microsoft Edge and clear the user’s session, including any downloads.

A public library or hotel concierge desk are two examples of public browsing that restricts access to only Microsoft Edge. +### Important things to remember before getting started - ![Public browsing Microsoft Edge kiosk mode on a single-app kiosk device](images/surface_hub_single-app_browse_kiosk_inframe.png) +- The public browsing kiosk types run Microsoft Edge InPrivate mode to protect user data with a browsing experience designed for public kiosks. -### Multi-app +- Microsoft Edge kiosk mode has a built-in timer to help keep data safe in public browsing sessions. When the idle time (no user activity) meets the time limit, a confirmation message prompts the user to continue, and if no user activity Microsoft Edge resets the session to the default URL. By default, the idle timer is 5 minutes, but you can choose a value of your own. -Microsoft Edge two kiosk mode in multi-app assigned access runs InPrivate mode and a regular browsing version. For more details about running a multi-app kiosk, or fixed-purpose device, see [Create a Windows 10 kiosk that runs multiple apps](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps). +- Optionally, you can define a single URL for the Home button, Start page, and New Tab page. See [Supported policies for kiosk mode](#supported-policies-for-kiosk-mode) to learn more. -Here you learn how to create kiosks that run more than one app and the benefits of a multi-app kiosk, or fixed-purpose device. +- No matter which configuration type you choose, you must set up Microsoft Edge in assigned access; otherwise, Microsoft Edge ignores the settings in this policy (Configure kiosk mode/ConfigureKioskMode).

Learn more about assigned access: -The multi-app Microsoft Edge kiosk mode types include: + - [Configure kiosk and shared devices running Windows desktop editions](https://aka.ms/E489vw). -3. **Public browsing**, which is similar to the single-app version, runs Microsoft Edge InPrivate mode to protect user data with a browsing experience designed for publicly accessible kiosk devices running more than one application.

Users can open and close Microsoft Edge and launch other apps if allowed by assigned access. Instead of an “End session” button to clear their browsing session, the user closes Microsoft Edge normally.

In this configuration, Microsoft Edge can interact with other applications. For example, if Internet Explorer 11 is set up in multi-app assigned access, you can enable Enterprise Mode to automatically switch users to Internet Explorer 11 for sites that need backward compatibility support.

A public library or hotel concierge desk are two examples of public browsing that provides access to Microsoft Edge and other apps. + - [Kiosk apps for assigned access best practices](https://aka.ms/H1s8y4). - ![Public browsing Microsoft Edge kiosk mode on a multi-app kiosk device](images/surface_hub_multi-app_kiosk_inframe.png) + - [Guidelines for choosing an app for assigned access (kiosk mode)](https://aka.ms/Ul7dw3). -4. **Normal mode** provides all the Microsoft Edge browsing features and preserves the user data and state between sessions.

Some features may not work depending on what other apps you have configured in assigned access. For example, installing extensions or books from the Microsoft store are not allowed if the store is not available. If Internet Explorer 11 is set up in assigned access, you can enable Enterprise Mode to automatically switch users to Internet Explorer 11 for sites that need backward compatibility support. - ![Normal Microsoft Edge kiosk mode on a multi-app kiosk device](images/surface_hub_multi-app_normal_kiosk_inframe.png) +### Supported configuration types -## Let’s get started! +[!INCLUDE [configure-kiosk-mode-supported-values-include](includes/configure-kiosk-mode-supported-values-include.md)] -Before you can configure Microsoft Edge kiosk mode, you must set up Microsoft Edge in assigned access. With assigned access, you restrict a local standard user account so that it only has access to one or more Windows app, such as Microsoft Edge in kiosk mode. You can set up Microsoft Edge kiosk mode in assigned access using: +## Set up Microsoft Edge kiosk mode -- **Windows Settings.** Use to set up a couple of single-app kiosk devices. If you hit the Windows key and type “kiosk” you can set up Microsoft Edge kiosk mode for a single-app (Digital / Interactive signage or Public browsing) experience and define a single URL for the Home button, Start page, and New Tab page. You can also set the reset after an idle timeout. +Now that you're familiar with the different kiosk mode configurations and have the one you want to use in mind, you can use one of the following methods to set up Microsoft Edge kiosk mode: - >[!IMPORTANT] - >Do not use the Windows 10 Settings to configure multi-app kiosks. - -- **Microsoft Intune or other MDM service.** Use to set up several single-app and multi-app kiosk devices. Microsoft Intune and other MDM service providers offer more options for customizing the Microsoft Edge kiosk mode experience by using the [supported or available] Microsoft Edge policies. For a list of supported policies see [Supported policies for kiosk mode](#supported-policies-for-kiosk-mode). - - >[!NOTE] - >For other MDM services, check with your provider for instructions. +- **Windows Settings.** Use only to set up a couple of single-app devices because you perform these steps physically on each device. For a multi-app kiosk device, use Microsoft Intune or other MDM service. +- **Microsoft Intune or other MDM service.** Use to set up several single-app or multi-app kiosk devices. Microsoft Intune and other MDM service providers offer more options for customizing the Microsoft Edge kiosk mode experience using any of the [Supported policies for kiosk mode](#supported-policies-for-kiosk-mode). ### Prerequisites -- Microsoft Edge on Windows 10, version 1809 (Professional, Enterprise, and Education). +- Microsoft Edge on Windows 10, version 1809 (Professional, Enterprise, and Education). -- Configuration and deployment service, such as Microsoft Intune or other MDM service. With these methods, you must have the AppUserModelID (AUMID) to set up Microsoft Edge:

Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge +- URL to load when the kiosk launches. The URL that you provide sets the Home button, Start page, and New Tab page. + +- _**For Microsoft Intune or other MDM service**_, you must have the AppUserModelID (AUMID) to set up Microsoft Edge: + + ``` + Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge + ``` ### Use Windows Settings -Windows Settings is the simplest and easiest way to set up one or a couple of devices because you perform these steps physically on each device. This method is ideal for small businesses. ->[!IMPORTANT] ->Windows Settings is only for setting up a single-app kiosk device. For a multi-app kiosk device, use Microsoft Intune or Windows PowerShell. You can also use Intune or PowerShell to configure a single-app device. +Windows Settings is the simplest and the only way to set up one or a couple of single-app devices. -When you set up a single-app kiosk device using Windows Settings, you must first set up assigned access before configuring the device. With assigned access, you restrict a local standard user account so that it only has access to one Windows app, such as Microsoft Edge in kiosk mode. -1. Open Windows Settings, type **kiosk** in the search field and select **Set up a kiosk (assigned access)**. +1. On the kiosk device, open Windows Settings, and in the search field type **kiosk** and then select **Set up a kiosk (assigned access)**. 2. On the **Set up a kiosk** page, click **Get started**. @@ -100,44 +96,39 @@ When you set up a single-app kiosk device using Windows Settings, you must first 5. Select how Microsoft Edge displays when running in kiosk mode: - - **As a digital sign or interactive display**, the default URL shows in full screen, without browser controls. Use digital signage for things like a rotating advertisement or menu, or use interactive signage for a building business directory or restaurant order/pay station. + - **As a digital sign or interactive display** - Displays a specific site in full-screen mode, running Microsoft Edge InPrivate protecting user data. - - **As a public browser**, the default URL shows in a browser view with limited browser controls. Microsoft Edge is the only app available for public browsing. Users cannot minimize, close, or open windows or customize Microsoft Edge, but can click the **End session** button to clear their browsing data and restart with a new session. + - **As a public browser** - Runs a limited multi-tab version of Microsoft Edge, protecting user data. 6. Select **Next**. 7. Type the URL to load when the kiosk launches. - >[!TIP] - >The URL sets the Home button, Start page, and New Tab page. - 8. Accept the default value of **5 minutes** for the idle time or provide a value of your own. - >[!TIP] - >Microsoft Edge kiosk mode has a built-in timer to help keep data safe in public browsing sessions. When the idle time (no user activity) meets the time limit, a confirmation message prompts the user to continue. If the user does not **Continue**, Microsoft Edge resets to the default URL. - 9. Click **Next**. 10. Close the **Settings** window to save and apply your choices. -11. Once you've configured the policies, restart the kiosk device and sign in with the local kiosk account to validate the configuration. +11. Restart the kiosk device and sign in with the local kiosk account to validate the configuration. -**_Congratulations!_**

You’ve just finished setting up a single-app kiosk device. +**_Congratulations!_**

You’ve just finished setting up a single-app kiosk device using Windows Settings. **_What's next?_** -|If you want to... |Then... | -|---|---| -|Use your new kiosk |Sign into the device with the kiosk account that you selected to run Microsoft Edge kiosk mode. | -|Make changes to your kiosks such as change the display option or the URL that loads |

  1. In Windows Settings, type **kiosk** in the search field and select **Set up a kiosk (assigned access)**.
  2. On the **Set up a kiosk** page, make your changes to **Choose a kiosk mode** and **Set up Microsoft Edge**.
| ---- +- User your new kiosk device.

+ OR

+- Make changes to your kiosk device. In Windows Settings, on the **Set up a kiosk** page, make your changes to **Choose a kiosk mode** and **Set up Microsoft Edge**. + +--- + ### Use Microsoft Intune or other MDM service -With this method, you can use Microsoft Intune or other MDM services to configure Microsoft Edge kiosk mode in assigned access and how it behaves on a kiosk device. +With this method, you can use Microsoft Intune or other MDM services to configure Microsoft Edge kiosk mode in assigned access and how it behaves on a kiosk device. To learn about a few app fundamentals and requirements before adding them to Intune, see [Add apps to Microsoft Intune](https://docs.microsoft.com/intune/apps-add). >[!IMPORTANT] ->If you are using a local account as a kiosk account in Microsoft Intune or a provisioning package, make sure to sign into this account and then sign out before configuring the assigned access single-app kiosk. +>If you are using a local account as a kiosk account in Microsoft Intune, make sure to sign into this account and then sign out before configuring the kiosk device. 1. In Microsoft Intune or other MDM service, configure [AssignedAccess](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) to prevent users from accessing the file system, running executables, or other apps. @@ -146,23 +137,25 @@ With this method, you can use Microsoft Intune or other MDM services to configur | | | |---|---| | **[ConfigureKioskMode](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode)**

![](images/icon-thin-line-computer.png) | Configure the display mode for Microsoft Edge as a kiosk app.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskMode

**Data type:** Integer

**Allowed values:**

| - | **[ConfigureKioskResetAfterIdleTimeout](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurekioskresetafteridletimeout)**

![](images/icon-thin-line-computer.png) | Change the time in minutes from the last user activity before Microsoft Edge kiosk mode resets to the default kiosk configuration.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskResetAfterIdleTimeout

**Data type:** Integer

**Allowed values:**

| + | **[ConfigureKioskResetAfterIdleTimeout](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurekioskresetafteridletimeout)**

![](images/icon-thin-line-computer.png) | Change the time in minutes from the last user activity before Microsoft Edge kiosk mode resets the user's session.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskResetAfterIdleTimeout

**Data type:** Integer

**Allowed values:**

| | **[HomePages](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-homepages)**

![](images/icon-thin-line-computer.png) | Set one or more start pages, URLs, to load when Microsoft Edge launches.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/HomePages

**Data type:** String

**Allowed values:**

Enter one or more URLs, for example,
   \\ | | **[ConfigureHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton)**

![](images/icon-thin-line-computer.png) | Configure how the Home Button behaves.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureHomeButton

**Data type:** Integer

**Allowed values:**

| | **[SetHomeButtonURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl)**

![](images/icon-thin-line-computer.png) | If you set ConfigureHomeButton to 2, configure the home button URL.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetHomeButtonURL

**Data type:** String

**Allowed values:** Enter a URL, for example, https://www.bing.com | | **[SetNewTabPageURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl)**

![](images/icon-thin-line-computer.png) | Set a custom URL for the New Tab page.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetNewTabPageURL

**Data type:** String

**Allowed values:** Enter a URL, for example, https://www.msn.com | - --- + +**_Congratulations!_**

You’ve just finished setting up a kiosk or digital signage with policies for Microsoft Edge kiosk mode using Microsoft Intune or other MDM service. -**_Congratulations!_**

You’ve just finished setting up a kiosk or digital signage and configuring group policies for Microsoft Edge kiosk mode using Microsoft Intune or other MDM service. - -**_What's next?_**

Use your new kiosk. Sign in to the device using the user account that you selected to run the kiosk app. +**_What's next?_**

Now it's time to use your new kiosk device. Sign into the device with the kiosk account selected to run Microsoft Edge kiosk mode. --- + ## Supported policies for kiosk mode -Use any of the Microsoft Edge policies listed below to enhance the kiosk experience depending on the Microsoft Edge kiosk mode type you configure. To learn more about these policies, see [Policy CSP - Browser](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser). +Use any of the Microsoft Edge policies listed below to enhance the kiosk experience depending on the Microsoft Edge kiosk mode type you configure. To learn more about these policies, see [Policy CSP - Browser](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser). + +Make sure to check with your provider for instructions. | **MDM Setting** | **Digital /
Interactive signage** | **Public browsing
single-app** | **Public browsing
multi-app** | **Normal
mode** | |------------------|:---------:|:---------:|:---------:|:---------:| @@ -224,7 +217,7 @@ Use any of the Microsoft Edge policies listed below to enhance the kiosk experie | [SyncFavoritesBetweenIEAndMicrosoftEdge](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-syncfavoritesbetweenieandmicrosoftedge) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png)1 | ![Supported](images/148767.png) | | [UnlockHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-unlockhomebutton)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | | [UseSharedFolderForBooks](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-usesharedfolderforbooks) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ---- + *\* New policy as of Windows 10, version 1809.*

*1) For multi-app assigned access, you must configure Internet Explorer 11.*
@@ -234,36 +227,7 @@ Use any of the Microsoft Edge policies listed below to enhance the kiosk experie        ![Not supported](images/148766.png) = Not applicable or not supported
       ![Supported](images/148767.png) = Supported ---- - -## Related topics - -- **[Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education](https://docs.microsoft.com/windows/configuration/setup-kiosk-digital-signage)**: Learn about the different methods to configuring your kiosks and digitals signs. Also, learn about the settings you can use to lock down the kiosk for a more secure kiosk experience. - -- **[Create a Kiosk Experience](https://docs.microsoft.com/windows-hardware/customize/enterprise/create-a-kiosk-image):** Learn how to set up single-function kiosk devices, such as restaurant menus, and optional features for a welcome screen or power button availability. Also, learn how to create a multi-app kiosk, or fixed-purpose device, to provide an easy-to-understand experience giving users the things they need to use. - -- **[Configure a Windows 10 kiosk that runs multiple apps](https://aka.ms/Ckmq4n):** Learn how to create kiosks that run more than one app and the benefits of a multi-app kiosk, or fixed-purpose device. - -- **[Kiosk apps for assigned access best practices](https://aka.ms/H1s8y4):** In Windows 10, you can use assigned access to create a kiosk device, which enables users to interact with just a single Universal Windows app. Learn about the best practices for implementing a kiosk app. - -- **[Guidelines for choosing an app for assigned access (kiosk mode)](https://aka.ms/Ul7dw3):** Assigned access restricts a local standard user account on the device so that it only has access to a single-function device, like a kiosk. Learn about the guidelines for choosing a Windows app, web browsers, and securing your information. Also, learn about additional configurations required for some apps before it can work properly in assigned access. - -- **[Other settings to lock down](https://docs.microsoft.com/windows/configuration/setup-kiosk-digital-signage#other-settings-to-lock-down):** Learn how to configure a more secure kiosk experience. In addition to the settings, learn how to set up **automatic logon** for your kiosk device. For example, when the kiosk device restarts, you can log back into the device manually or by setting up automatic logon. - -- **[Add apps to Microsoft Intune](https://docs.microsoft.com/intune/apps-add):** Learn about and understand a few app fundamentals and requirements before adding them to Intune and making them available to your users. - -- **[AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp):** The AssignedAccess configuration service provider (CSP) sets the device to run in kiosk mode. Once the CSP has executed, then the next user login associated with the kiosk mode puts the device into the kiosk mode running the application specified in the CSP configuration. - - ---- - -## Provide feedback or get support - -To provide feedback on Microsoft Edge kiosk mode in Feedback Hub, select **Microsoft Edge** as the **Category**, and **All other issues** as the subcategory. - -**_For multi-app kiosk only._** If you have set up the Feedback Hub in assigned access, you can you submit the feedback from the device running Microsoft Edge in kiosk mode in which you can include diagnostic logs. In the Feedback Hub, select **Microsoft Edge** as the **Category**, and **All other issues** as the subcategory. - ---- +--- ## Feature comparison of kiosk mode and kiosk browser app In the following table, we show you the features available in both Microsoft Edge kiosk mode and Kiosk Browser app available in Microsoft Store. Both kiosk mode and kiosk browser app work in assigned access. @@ -277,14 +241,23 @@ In the following table, we show you the features available in both Microsoft Edg | Set Start page(s) URL | ![Supported](images/148767.png) | ![Supported](images/148767.png)

*Same as Home button URL* | | Set New Tab page URL | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | | Favorites management | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | -| End session button | ![Supported](images/148767.png) | ![Supported](images/148767.png)

*In Microsoft Intune, you must create a custom URI to enable. Dedicated UI configuration targeted for 1808.* | +| End session button | ![Supported](images/148767.png) | ![Supported](images/148767.png)

*In Microsoft Intune, you must create a custom URI to enable. Dedicated UI configuration introduced in version 1808.* | | Reset on inactivity | ![Supported](images/148767.png) | ![Supported](images/148767.png) | | Internet Explorer integration (Enterprise Mode site list) | ![Supported](images/148767.png)

*Multi-app mode only* | ![Not supported](images/148766.png) | | Available in Microsoft Store | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | |SKU availability | Windows 10 October 2018 Update
Professional, Enterprise, and Education | Windows 10 April 2018 Update
Professional, Enterprise, and Education | ---- + **\*Windows Defender Firewall**

-To prevent access to unwanted websites on your kiosk device, use Windows Defender Firewall to configure a list of allowed websites, blocked websites or both. For more details, see [Windows Defender Firewall with Advanced Security Deployment](https://docs.microsoft.com/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide). +To prevent access to unwanted websites on your kiosk device, use Windows Defender Firewall to configure a list of allowed websites, blocked websites or both. For more details, see [Windows Defender Firewall with Advanced Security Deployment](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide). --- + +## Provide feedback or get support + +To provide feedback on Microsoft Edge kiosk mode in Feedback Hub, select **Microsoft Edge** as the **Category**, and **All other issues** as the subcategory. + +**_For multi-app kiosk only._** If you have set up the Feedback Hub in assigned access, you can you submit the feedback from the device running Microsoft Edge in kiosk mode in which you can include diagnostic logs. In the Feedback Hub, select **Microsoft Edge** as the **Category**, and **All other issues** as the subcategory. + + + diff --git a/browsers/edge/shortdesc/allow-web-content-on-new-tab-page-shortdesc.md b/browsers/edge/shortdesc/allow-web-content-on-new-tab-page-shortdesc.md index 9c8dea176e..a056b0a737 100644 --- a/browsers/edge/shortdesc/allow-web-content-on-new-tab-page-shortdesc.md +++ b/browsers/edge/shortdesc/allow-web-content-on-new-tab-page-shortdesc.md @@ -1,9 +1,9 @@ --- author: shortpatti ms.author: pashort -ms.date: 10/02/2018 +ms.date: 11/02/2018 ms.prod: edge ms:topic: include --- -By default, Microsoft Edge loads the default New Tab page. Disabling this policy loads a blank page instead of the New Tab page and prevents users from changing it. Not configuring this policy lets users choose what loads on the New Tab page. \ No newline at end of file +By default, Microsoft Edge loads the default New Tab page and lets the users make changes. If you disable this policy, a blank page loads instead of the New Tab page and prevents users from changing it. \ No newline at end of file diff --git a/browsers/edge/troubleshooting-microsoft-edge.md b/browsers/edge/troubleshooting-microsoft-edge.md index 5b3af2b0e3..3f3707624b 100644 --- a/browsers/edge/troubleshooting-microsoft-edge.md +++ b/browsers/edge/troubleshooting-microsoft-edge.md @@ -15,6 +15,21 @@ ms.date: 10/15/2018 ## Microsoft Edge and IPv6 -We are aware that this is a known issue with Microsoft Edge and all UWP-based apps, such as Store, Mail, Feedback Hub, and so on. It only happens if you have disabled IPv6 (not recommended), so a temporary workaround is to enable IPv6. +We are aware of the known issue with Microsoft Edge and all UWP-based apps, such as Store, Mail, Feedback Hub, and so on. It only happens if you have disabled IPv6 (not recommended), so a temporary workaround is to enable it. ## Microsoft Edge hijacks .PDF and .HTM files + + + +## Citrix Receiver in Microsoft Edge kiosk mode +If you want to deliver applications to users via Citrix through Microsoft Edge, you must create the kiosk user account and then log into the account to install Citrix Receiver BEFORE setting up assigned access. + +1. Create the kiosk user account. +2. Log into the account. +3. Install Citrix Receiver. +4. Set up assigned access. + + +## Missing SettingSync.admx and SettingSync.adml files + +Make sure to [download](https://www.microsoft.com/en-us/download/windows.aspx) the latest templates to C:\windows\policydefinitions\. \ No newline at end of file diff --git a/browsers/enterprise-mode/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md b/browsers/enterprise-mode/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md index f6061375ab..6ebdd65d65 100644 --- a/browsers/enterprise-mode/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md +++ b/browsers/enterprise-mode/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md @@ -33,7 +33,7 @@ You can add individual sites to your compatibility list by using the Enterprise 1. In the Enterprise Mode Site List Manager (schema v.1), click **Add**. 2. Type the URL for the website that’s experiencing compatibility problems, like *<domain>.com* or *<domain>.com*/*<path>* into the **URL** box.

-Don't include the `http://` or `https://` designation. The tool automatically tries both versions during validation. +Don't include the `https://` or `https://` designation. The tool automatically tries both versions during validation. 3. Type any comments about the website into the **Notes about URL** box.

Administrators can only see comments while they’re in this tool. diff --git a/browsers/enterprise-mode/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md b/browsers/enterprise-mode/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md index eafa1921a5..4c6531c174 100644 --- a/browsers/enterprise-mode/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md +++ b/browsers/enterprise-mode/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md @@ -33,7 +33,7 @@ You can add individual sites to your compatibility list by using the Enterprise 1. In the Enterprise Mode Site List Manager (schema v.2), click **Add**. 2. Type the URL for the website that’s experiencing compatibility problems, like *<domain>.com* or *<domain>.com*/*<path>* into the **URL** box.

-Don't include the `http://` or `https://` designation. The tool automatically tries both versions during validation. +Don't include the `https://` or `https://` designation. The tool automatically tries both versions during validation. 3. Type any comments about the website into the **Notes about URL** box.

Administrators can only see comments while they’re in this tool. diff --git a/browsers/enterprise-mode/create-change-request-enterprise-mode-portal.md b/browsers/enterprise-mode/create-change-request-enterprise-mode-portal.md index e678fe972c..4dfb16435c 100644 --- a/browsers/enterprise-mode/create-change-request-enterprise-mode-portal.md +++ b/browsers/enterprise-mode/create-change-request-enterprise-mode-portal.md @@ -50,7 +50,7 @@ Employees assigned to the Requester role can create a change request. A change r - **Business impact (optional).** An optional area where you can provide info about the business impact of this app and the change. - - **App location (URL).** The full URL location to the app, starting with http:// or https://. + - **App location (URL).** The full URL location to the app, starting with https:// or https://. - **App best viewed in.** Select the best browser experience for the app. This can be Internet Explorer 5 through Internet Explorer 11 or one of the IE7Enterprise or IE8Enterprise modes. diff --git a/browsers/enterprise-mode/enterprise-mode-schema-version-1-guidance.md b/browsers/enterprise-mode/enterprise-mode-schema-version-1-guidance.md index 88711fd787..52ada71083 100644 --- a/browsers/enterprise-mode/enterprise-mode-schema-version-1-guidance.md +++ b/browsers/enterprise-mode/enterprise-mode-schema-version-1-guidance.md @@ -28,7 +28,7 @@ If you don't want to use the Enterprise Mode Site List Manager, you also have th The following is an example of the Enterprise Mode schema v.1. This schema can run on devices running Windows 7 and Windows 8.1. **Important**
-Make sure that you don't specify a protocol when adding your URLs. Using a URL like `contoso.com` automatically applies to both http://contoso.com and https://contoso.com. +Make sure that you don't specify a protocol when adding your URLs. Using a URL like `contoso.com` automatically applies to both https://contoso.com and https://contoso.com. ``` xml @@ -135,7 +135,7 @@ This table includes the elements used by the Enterprise Mode schema. <path exclude="true">/products</path> </domain> </emie>

-Where http://fabrikam.com doesn't use IE8 Enterprise Mode, but http://fabrikam.com/products does. +Where https://fabrikam.com doesn't use IE8 Enterprise Mode, but https://fabrikam.com/products does. Internet Explorer 11 and Microsoft Edge @@ -167,7 +167,7 @@ This table includes the attributes used by the Enterprise Mode schema. <path exclude="true">/products</path> </domain> </emie>

-Where http://fabrikam.com doesn't use IE8 Enterprise Mode, but http://fabrikam.com/products does. +Where https://fabrikam.com doesn't use IE8 Enterprise Mode, but https://fabrikam.com/products does. Internet Explorer 11 and Microsoft Edge @@ -203,7 +203,7 @@ For example, say you want all of the sites in the contoso.com domain to open usi ### What not to include in your schema We recommend that you not add any of the following items to your schema because they can make your compatibility list behave in unexpected ways: -- Don’t use protocols. For example, `http://`, `https://`, or custom protocols. They break parsing. +- Don’t use protocols. For example, `https://`, `https://`, or custom protocols. They break parsing. - Don’t use wildcards. - Don’t use query strings, ampersands break parsing. diff --git a/browsers/enterprise-mode/enterprise-mode-schema-version-2-guidance.md b/browsers/enterprise-mode/enterprise-mode-schema-version-2-guidance.md index df6a01cb68..ebc229a1db 100644 --- a/browsers/enterprise-mode/enterprise-mode-schema-version-2-guidance.md +++ b/browsers/enterprise-mode/enterprise-mode-schema-version-2-guidance.md @@ -38,7 +38,7 @@ You can continue to use the v.1 version of the schema on Windows 10, but you wo The following is an example of the v.2 version of the Enterprise Mode schema. **Important**
-Make sure that you don't specify a protocol when adding your URLs. Using a URL like ``, automatically applies to both http://contoso.com and https://contoso.com. +Make sure that you don't specify a protocol when adding your URLs. Using a URL like ``, automatically applies to both https://contoso.com and https://contoso.com.   ``` xml @@ -198,7 +198,7 @@ The <url> attribute, as part of the <site> element in the v.2 versio <site url="contoso.com/travel"> <open-in allow-redirect="true">IE11</open-in> </site> -In this example, if http://contoso.com/travel is encountered in a redirect chain in Microsoft Edge, it will be opened in Internet Explorer. +In this example, if https://contoso.com/travel is encountered in a redirect chain in Microsoft Edge, it will be opened in Internet Explorer. Internet Explorer 11 and Microsoft Edge @@ -210,14 +210,14 @@ In this example, if http://contoso.com/travel is encountered in a redirect chain url Specifies the URL (and port number using standard port conventions) to which the child elements apply. The URL can be a domain, sub-domain, or any path URL.
Note
-Make sure that you don't specify a protocol. Using <site url="contoso.com"> applies to both http://contoso.com and https://contoso.com. +Make sure that you don't specify a protocol. Using <site url="contoso.com"> applies to both https://contoso.com and https://contoso.com.

Example 

 <site url="contoso.com:8080">
   <compat-mode>IE8Enterprise</compat-mode>
   <open-in>IE11</open-in>
 </site>
-In this example, going to http://contoso.com:8080 using Microsoft Edge, causes the site to open in IE11 and load in IE8 Enterprise Mode. +In this example, going to https://contoso.com:8080 using Microsoft Edge, causes the site to open in IE11 and load in IE8 Enterprise Mode. Internet Explorer 11 and Microsoft Edge @@ -286,7 +286,7 @@ Saving your v.1 version of the file using the new Enterprise Mode Site List Mana ### What not to include in your schema We recommend that you not add any of the following items to your schema because they can make your compatibility list behave in unexpected ways: -- Don’t use protocols. For example, http://, https://, or custom protocols. They break parsing. +- Don’t use protocols. For example, https://, https://, or custom protocols. They break parsing. - Don’t use wildcards. - Don’t use query strings, ampersands break parsing. diff --git a/browsers/enterprise-mode/set-up-enterprise-mode-logging-and-data-collection.md b/browsers/enterprise-mode/set-up-enterprise-mode-logging-and-data-collection.md index bfb9659bd0..b67d27b563 100644 --- a/browsers/enterprise-mode/set-up-enterprise-mode-logging-and-data-collection.md +++ b/browsers/enterprise-mode/set-up-enterprise-mode-logging-and-data-collection.md @@ -111,7 +111,7 @@ The required packages are automatically downloaded and included in the solution. 1. Open a registry editor on the computer where you deployed the app, go to the `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode` key, and change the **Enable** string to: - ``` "Enable"="http:///api/records/" + ``` "Enable"="https:///api/records/" ``` Where `` points to your deployment URL. @@ -125,7 +125,7 @@ The required packages are automatically downloaded and included in the solution. **To view the report results** -- Go to `http:///List` to see the report results.

+- Go to `https:///List` to see the report results.

If you’re already on the webpage, you’ll need to refresh the page to see the results. ![Enterprise Mode Result report with details](images/ie-emie-reportwdetails.png) diff --git a/browsers/enterprise-mode/set-up-enterprise-mode-portal.md b/browsers/enterprise-mode/set-up-enterprise-mode-portal.md index 0aca62e070..fe5fe752fc 100644 --- a/browsers/enterprise-mode/set-up-enterprise-mode-portal.md +++ b/browsers/enterprise-mode/set-up-enterprise-mode-portal.md @@ -176,7 +176,7 @@ Using the IIS Manager, you must restart both your Application Pool and your webs After you've created your database and website, you'll need to register yourself (or another employee) as an administrator for the Enterprise Mode Site List Portal. **To register as an administrator** -1. Open Microsoft Edge and type your website URL into the Address bar. For example, http://emieportal:8085. +1. Open Microsoft Edge and type your website URL into the Address bar. For example, https://emieportal:8085. 2. Click **Register now**. @@ -184,7 +184,7 @@ After you've created your database and website, you'll need to register yourself 4. Click **Administrator** from the **Role** box, and then click **Save**. -5. Append your website URL with `/#/EMIEAdminConsole` in the Address bar to go to your administrator console. For example, http://emieportal:8085/#/EMIEAdminConsole. +5. Append your website URL with `/#/EMIEAdminConsole` in the Address bar to go to your administrator console. For example, https://emieportal:8085/#/EMIEAdminConsole. A dialog box appears, prompting you for the system user name and password. The default user name is EMIEAdmin and the default password is Admin123. We strongly recommend that you change the password by using the **Change password** link as soon as you're done with your first visit. diff --git a/browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md b/browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md index e4e3d83ec8..1a704aa67e 100644 --- a/browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md +++ b/browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md @@ -33,7 +33,7 @@ All of your managed devices must have access to this location if you want them t - **Local file:** `"SiteList"="file:///c:\\Users\\\\Documents\\testList.xml"` > **Example:** - >> _Web URL_ http://localhost:8080/EnterpriseMode.xml + >> _Web URL_ https://localhost:8080/EnterpriseMode.xml >> >> _Network Share_ \\NetworkShare.xml (Place this inside the group policy folder on Sysvol) >> diff --git a/browsers/enterprise-mode/turn-on-local-control-and-logging-for-enterprise-mode.md b/browsers/enterprise-mode/turn-on-local-control-and-logging-for-enterprise-mode.md index 0f5ff8d1f9..5781fe3fc0 100644 --- a/browsers/enterprise-mode/turn-on-local-control-and-logging-for-enterprise-mode.md +++ b/browsers/enterprise-mode/turn-on-local-control-and-logging-for-enterprise-mode.md @@ -46,9 +46,9 @@ Besides turning on this feature, you also have the option to provide a URL for E Your **Value data** location can be any of the following types: -- **URL location (like, http://www.emieposturl.com/api/records or http://localhost:13000)**. IE sends a POST message to the URL every time a change is made to Enterprise Mode from the **Tools** menu.

**Important**
-The `http://www.emieposturl.com/api/records` example will only work if you’ve downloaded the sample discussed in the [Set up Enterprise Mode logging and data collection](set-up-enterprise-mode-logging-and-data-collection.md) topic. If you don’t have the sample, you won’t have the web API. -- **Local network location (like, http://*emieposturl*/)**. IE sends a POST message to your specified local network location every time a change is made to Enterprise Mode from the **Tools** menu. +- **URL location (like, https://www.emieposturl.com/api/records or https://localhost:13000)**. IE sends a POST message to the URL every time a change is made to Enterprise Mode from the **Tools** menu.

**Important**
+The `https://www.emieposturl.com/api/records` example will only work if you’ve downloaded the sample discussed in the [Set up Enterprise Mode logging and data collection](set-up-enterprise-mode-logging-and-data-collection.md) topic. If you don’t have the sample, you won’t have the web API. +- **Local network location (like, https://*emieposturl*/)**. IE sends a POST message to your specified local network location every time a change is made to Enterprise Mode from the **Tools** menu. - **Empty string**. If you leave the **Value data** box blank; your employees will be able to turn Enterprise Mode on and off from the **Tools** menu, but you won’t collect any logging data. For information about how to collect the data provided when your employees turn Enterprise Mode on or off from the **Tools** menu, see [Set up Enterprise Mode logging and data collection](set-up-enterprise-mode-logging-and-data-collection.md). diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md index decdc115fa..2eab3c28fd 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md +++ b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md @@ -33,7 +33,7 @@ You can add individual sites to your compatibility list by using the Enterprise 1. In the Enterprise Mode Site List Manager (schema v.1), click **Add**. 2. Type the URL for the website that’s experiencing compatibility problems, like *<domain>.com* or *<domain>.com*/*<path>* into the **URL** box.

-Don't include the `http://` or `https://` designation. The tool automatically tries both versions during validation. +Don't include the `https://` or `https://` designation. The tool automatically tries both versions during validation. 3. Type any comments about the website into the **Notes about URL** box.

Administrators can only see comments while they’re in this tool. diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md index bdfc8633a7..df209b5a60 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md +++ b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md @@ -33,7 +33,7 @@ You can add individual sites to your compatibility list by using the Enterprise 1. In the Enterprise Mode Site List Manager (schema v.2), click **Add**. 2. Type the URL for the website that’s experiencing compatibility problems, like *<domain>.com* or *<domain>.com*/*<path>* into the **URL** box.

-Don't include the `http://` or `https://` designation. The tool automatically tries both versions during validation. +Don't include the `https://` or `https://` designation. The tool automatically tries both versions during validation. 3. Type any comments about the website into the **Notes about URL** box.

Administrators can only see comments while they’re in this tool. diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md index a1ba907f17..9e485e54d8 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md @@ -52,7 +52,7 @@ After adding the `FEATURE\AUTOCONFIG\BRANDING` registry key, you can change your - **Automatic Configuration URL (.INS file) box:** Type the location of your automatic configuration script. - - **Automatic proxy URL (.JS, .JVS, or .PAC file) box:** Type the location of your automatic proxy script.

**Important**
Internet Explorer 11 no longer supports using file server locations with your proxy configuration (.pac) files. To keep using your .pac files, you have to keep them on a web server and reference them using a URL, like `http://share/test.ins`. + - **Automatic proxy URL (.JS, .JVS, or .PAC file) box:** Type the location of your automatic proxy script.

**Important**
Internet Explorer 11 no longer supports using file server locations with your proxy configuration (.pac) files. To keep using your .pac files, you have to keep them on a web server and reference them using a URL, like `https://share/test.ins`. If your branding changes aren't correctly deployed after running through this process, see [Auto configuration and auto proxy problems with Internet Explorer 11](auto-configuration-and-auto-proxy-problems-with-ie11.md). diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md index 180e1100b9..8d6510713e 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md @@ -40,7 +40,7 @@ To use automatic detection, you have to set up your DHCP and DNS servers.

**No 3. In your DNS database file, create a host record named, **WPAD**. This record has the IP address of the web server storing your automatic configuration (.js, .jvs, .pac, or .ins) file.

**-OR-**

Create a canonical name (CNAME) alias record named, **WPAD**. This record has the resolved name (not the IP address) of the server storing your automatic configuration (.pac) file.

**Note**
For more information about creating a **WPAD** entry, see [Creating a WPAD entry in DNS](https://go.microsoft.com/fwlink/p/?LinkId=294651).  -4. After the database file propagates to the server, the DNS name, `wpad..com` resolves to the server name that includes your automatic configuration file.

**Note**
Internet Explorer 11 creates a default URL template based on the host name, **wpad**. For example, `http://wpad..com/wpad.dat`. Because of this, you need to set up a file or redirection point in your web server **WPAD** record, named **wpad.dat**. The **wpad.dat** record delivers the contents of your automatic configuration file. +4. After the database file propagates to the server, the DNS name, `wpad..com` resolves to the server name that includes your automatic configuration file.

**Note**
Internet Explorer 11 creates a default URL template based on the host name, **wpad**. For example, `https://wpad..com/wpad.dat`. Because of this, you need to set up a file or redirection point in your web server **WPAD** record, named **wpad.dat**. The **wpad.dat** record delivers the contents of your automatic configuration file.   diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md index 99f85f37b8..a0e95c8fac 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md @@ -30,7 +30,7 @@ You can use your Internet settings (.ins) files to set up your standard proxy se - **Automatic Configuration URL (.INS file) box:** Type the location of the .ins file you want to use for automatic configuration. For more information about setting up **Automatic Configuration**, see [Auto configuration settings for Internet Explorer 11](auto-configuration-settings-for-ie11.md). - - **Automatic proxy URL (.JS, .JVS, or .PAC file) box:** Type the location of your automatic proxy script. This script runs whenever IE11 makes a network request and can include multiple proxy servers for each protocol type.

**Important**
IE11 no longer supports using file server locations with your proxy configuration (.pac) files. To keep using your .pac files, you have to keep them on a web server and reference them using a URL, like `http://share/test.ins`. + - **Automatic proxy URL (.JS, .JVS, or .PAC file) box:** Type the location of your automatic proxy script. This script runs whenever IE11 makes a network request and can include multiple proxy servers for each protocol type.

**Important**
IE11 no longer supports using file server locations with your proxy configuration (.pac) files. To keep using your .pac files, you have to keep them on a web server and reference them using a URL, like `https://share/test.ins`. ## Locking your auto-proxy settings You have two options to restrict your users' ability to override the automatic configuration settings, based on your environment. diff --git a/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md index 0c04501602..145c439f02 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md +++ b/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md @@ -50,7 +50,7 @@ Employees assigned to the Requester role can create a change request. A change r - **Business impact (optional).** An optional area where you can provide info about the business impact of this app and the change. - - **App location (URL).** The full URL location to the app, starting with http:// or https://. + - **App location (URL).** The full URL location to the app, starting with https:// or https://. - **App best viewed in.** Select the best browser experience for the app. This can be Internet Explorer 5 through Internet Explorer 11 or one of the IE7Enterprise or IE8Enterprise modes. diff --git a/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md b/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md index c89dd26fab..ef14f9f67f 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md +++ b/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md @@ -41,7 +41,7 @@ Deploying pinned websites in MDT 2013 is a 4-step process: Pinned websites are immediately available to every user who logs on to the computer although the user must click each icon to populate its Jump List. **Important**
-To follow the examples in this topic, you’ll need to pin the Bing (http://www.bing.com/) and MSN (http://www.msn.com/) websites to the taskbar. +To follow the examples in this topic, you’ll need to pin the Bing (https://www.bing.com/) and MSN (https://www.msn.com/) websites to the taskbar. ### Step 1: Creating .website files The first step is to create a .website file for each website that you want to pin to the Windows 8.1 taskbar during deployment. A .website file is like a shortcut, except it’s a plain text file that describes not only the website’s URL but also how the icon looks. diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md index a503628344..307614576b 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md +++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md @@ -28,7 +28,7 @@ If you don't want to use the Enterprise Mode Site List Manager, you also have th The following is an example of the Enterprise Mode schema v.1. This schema can run on devices running Windows 7 and Windows 8.1. **Important**
-Make sure that you don't specify a protocol when adding your URLs. Using a URL like `contoso.com` automatically applies to both http://contoso.com and https://contoso.com. +Make sure that you don't specify a protocol when adding your URLs. Using a URL like `contoso.com` automatically applies to both https://contoso.com and https://contoso.com. ``` xml @@ -131,11 +131,11 @@ This table includes the elements used by the Enterprise Mode schema.

Example 

 <emie>
-  <domain exclude="false">fabrikam.com
-    <path exclude="true">/products</path>
+  <domain exclude="true">fabrikam.com
+    <path exclude="false">/products</path>
   </domain>
 </emie>

-Where http://fabrikam.com doesn't use IE8 Enterprise Mode, but http://fabrikam.com/products does. +Where https://fabrikam.com doesn't use IE8 Enterprise Mode, but https://fabrikam.com/products does. Internet Explorer 11 and Microsoft Edge @@ -167,7 +167,7 @@ This table includes the attributes used by the Enterprise Mode schema. <path exclude="true">/products</path> </domain> </emie>

-Where http://fabrikam.com uses IE8 Enterprise Mode, but http://fabrikam.com/products does not. +Where https://fabrikam.com uses IE8 Enterprise Mode, but https://fabrikam.com/products does not. Internet Explorer 11 and Microsoft Edge @@ -203,7 +203,7 @@ For example, say you want all of the sites in the contoso.com domain to open usi ### What not to include in your schema We recommend that you not add any of the following items to your schema because they can make your compatibility list behave in unexpected ways: -- Don’t use protocols. For example, `http://`, `https://`, or custom protocols. They break parsing. +- Don’t use protocols. For example, `https://`, `https://`, or custom protocols. They break parsing. - Don’t use wildcards. - Don’t use query strings, ampersands break parsing. diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md index 354fe81545..d9689c000a 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md +++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md @@ -38,7 +38,7 @@ You can continue to use the v.1 version of the schema on Windows 10, but you wo The following is an example of the v.2 version of the Enterprise Mode schema. **Important**
-Make sure that you don't specify a protocol when adding your URLs. Using a URL like ``, automatically applies to both http://contoso.com and https://contoso.com. +Make sure that you don't specify a protocol when adding your URLs. Using a URL like ``, automatically applies to both https://contoso.com and https://contoso.com.   ``` xml @@ -198,7 +198,7 @@ The <url> attribute, as part of the <site> element in the v.2 versio <site url="contoso.com/travel"> <open-in allow-redirect="true">IE11</open-in> </site> -In this example, if http://contoso.com/travel is encountered in a redirect chain in Microsoft Edge, it will be opened in Internet Explorer. +In this example, if https://contoso.com/travel is encountered in a redirect chain in Microsoft Edge, it will be opened in Internet Explorer. Internet Explorer 11 and Microsoft Edge @@ -210,14 +210,14 @@ In this example, if http://contoso.com/travel is encountered in a redirect chain url Specifies the URL (and port number using standard port conventions) to which the child elements apply. The URL can be a domain, sub-domain, or any path URL.
Note
-Make sure that you don't specify a protocol. Using <site url="contoso.com"> applies to both http://contoso.com and https://contoso.com. +Make sure that you don't specify a protocol. Using <site url="contoso.com"> applies to both https://contoso.com and https://contoso.com.

Example 

 <site url="contoso.com:8080">
   <compat-mode>IE8Enterprise</compat-mode>
   <open-in>IE11</open-in>
 </site>
-In this example, going to http://contoso.com:8080 using Microsoft Edge, causes the site to open in IE11 and load in IE8 Enterprise Mode. +In this example, going to https://contoso.com:8080 using Microsoft Edge, causes the site to open in IE11 and load in IE8 Enterprise Mode. Internet Explorer 11 and Microsoft Edge @@ -286,7 +286,7 @@ Saving your v.1 version of the file using the new Enterprise Mode Site List Mana ### What not to include in your schema We recommend that you not add any of the following items to your schema because they can make your compatibility list behave in unexpected ways: -- Don’t use protocols. For example, http://, https://, or custom protocols. They break parsing. +- Don’t use protocols. For example, https://, https://, or custom protocols. They break parsing. - Don’t use wildcards. - Don’t use query strings, ampersands break parsing. diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md index 7a95011950..37916eff52 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md +++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md @@ -16,7 +16,7 @@ Windows Server Update Services (WSUS) lets you download a single copy of the Mic **To import from Windows Update to WSUS** -1. Open your WSUS admin site. For example, `http:///WSUSAdmin/`.

+1. Open your WSUS admin site. For example, `https:///WSUSAdmin/`.

Where `` is the name of your WSUS server. 2. Choose the top server node or the **Updates** node, and then click **Import Updates**. diff --git a/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md index 5be58eea07..1dcf781581 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md @@ -21,7 +21,7 @@ IE11 works differently with search, based on whether your organization is domain - **Non-domain-joined computers.** A single word entry is treated as an intranet site. However, if the term doesn't resolve to a site, IE11 then treats the entry as a search term and opens your default search provider. -To explicitly go to an intranet site, regardless of the environment, users can type either a trailing slash like ` contoso/` or the `http://` prefix. Either of these will cause IE11 to treat the entry as an intranet search. You can also change the default behavior so that IE11 treats your single word entry in the address bar as an intranet site, regardless of your environment. +To explicitly go to an intranet site, regardless of the environment, users can type either a trailing slash like ` contoso/` or the `https://` prefix. Either of these will cause IE11 to treat the entry as an intranet search. You can also change the default behavior so that IE11 treats your single word entry in the address bar as an intranet site, regardless of your environment. **To enable single-word intranet search** @@ -29,7 +29,7 @@ To explicitly go to an intranet site, regardless of the environment, users can t 2. Click **Advanced**, check the **Go to an intranet site for a single word entry in the Address bar** box, and then click **OK**. -If you'd like your entire organization to have single word entries default to an intranet site, you can turn on the **Go to an intranet site for a single word entry in the Address bar** Group Policy. With this policy turned on, a search for `contoso` automatically resolves to `http://contoso`. +If you'd like your entire organization to have single word entries default to an intranet site, you can turn on the **Go to an intranet site for a single word entry in the Address bar** Group Policy. With this policy turned on, a search for `contoso` automatically resolves to `https://contoso`.   diff --git a/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md b/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md index 66a5d8b70b..a834636814 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md +++ b/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md @@ -115,7 +115,7 @@ Out-of-date ActiveX control blocking is turned off in the Local Intranet Zone an |--------|--------------|-------------|----------| |Turn on ActiveX control logging in IE |`Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management` |Internet Explorer 8 through IE11 |This setting determines whether IE saves log information for ActiveX controls.

If you enable this setting, IE logs ActiveX control information (including the source URI that loaded the control and whether it was blocked) to a local file.

If you disable or don't configure this setting, IE won't log ActiveX control information.

Note that you can turn this setting on or off regardless of the **Turn off blocking of outdated ActiveX controls for IE** or **Turn off blocking of outdated ActiveX controls for IE on specific domains** settings. | |Remove the **Run this time** button for outdated ActiveX controls in IE |`Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management`|Internet Explorer 8 through IE11 |This setting allows you stop users from seeing the **Run this time** button and from running specific outdated ActiveX controls in IE.

If you enable this setting, users won't see the **Run this time** button on the warning message that appears when IE blocks an outdated ActiveX control.

If you disable or don't configure this setting, users will see the **Run this time** button on the warning message that appears when IE blocks an outdated ActiveX control. Clicking this button lets the user run the outdated ActiveX control once. | -|Turn off blocking of outdated ActiveX controls for IE on specific domains |`Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management` |Internet Explorer 8 through IE11 |This setting allows you to manage a list of domains on which IE will stop blocking outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone.

If you enable this setting, you can enter a custom list of domains for which outdated ActiveX controls won't be blocked in IE. Each domain entry must be formatted like one of the following:

  • **"domainname.TLD".** For example, if you want to include `*.contoso.com/*`, use "contoso.com".
  • **"hostname".** For example, if you want to include `http://example`, use "example".
  • **"file:///path/filename.htm"**. For example, use `file:///C:/Users/contoso/Desktop/index.htm`.

If you disable or don't configure this setting, the list is deleted and IE continues to block specific outdated ActiveX controls on all domains in the Internet Zone. | +|Turn off blocking of outdated ActiveX controls for IE on specific domains |`Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management` |Internet Explorer 8 through IE11 |This setting allows you to manage a list of domains on which IE will stop blocking outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone.

If you enable this setting, you can enter a custom list of domains for which outdated ActiveX controls won't be blocked in IE. Each domain entry must be formatted like one of the following:

  • **"domainname.TLD".** For example, if you want to include `*.contoso.com/*`, use "contoso.com".
  • **"hostname".** For example, if you want to include `https://example`, use "example".
  • **"file:///path/filename.htm"**. For example, use `file:///C:/Users/contoso/Desktop/index.htm`.

If you disable or don't configure this setting, the list is deleted and IE continues to block specific outdated ActiveX controls on all domains in the Internet Zone. | |Turn off blocking of outdated ActiveX controls for IE |`Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management` |Internet Explorer 8 through IE11 |This setting determines whether IE blocks specific outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone.

If you enable this setting, IE stops blocking outdated ActiveX controls.

If you disable or don't configure this setting, IE continues to block specific outdated ActiveX controls. | |Remove the **Update** button in the out-of-date ActiveX control blocking notification for IE |This functionality is only available through the registry |Internet Explorer 8 through IE11 |This setting determines whether the out-of-date ActiveX control blocking notification shows the **Update** button. This button points users to update specific out-of-date ActiveX controls in IE. | @@ -145,8 +145,8 @@ Here’s a detailed example and description of what’s included in the VersionA |Source URI |File path |Product version |File version |Allowed/Blocked |Reason |EPM-compatible | |-----------|----------|----------------|-------------|----------------|-------|---------------| -|`http://contoso.com/test1.html` |C:\Windows\System32\Macromed\Flash\Flash.ocx |14.0.0.125 |14.0.0.125 |Allowed |Not in blocklist |EPM-compatible | -|`http://contoso.com/test2.html` |C:\Program Files\Java\jre6\bin\jp2iexp.dll |6.0.410.2 |6.0.410.2 |Blocked |Out of date |Not EPM-compatible | +|`https://contoso.com/test1.html` |C:\Windows\System32\Macromed\Flash\Flash.ocx |14.0.0.125 |14.0.0.125 |Allowed |Not in blocklist |EPM-compatible | +|`https://contoso.com/test2.html` |C:\Program Files\Java\jre6\bin\jp2iexp.dll |6.0.410.2 |6.0.410.2 |Blocked |Out of date |Not EPM-compatible | **Where:** - **Source URI.** The URL of the page that loaded the ActiveX control. diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md index 8653264774..a72a457d0a 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md +++ b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md @@ -111,7 +111,7 @@ The required packages are automatically downloaded and included in the solution. 1. Open a registry editor on the computer where you deployed the app, go to the `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode` key, and change the **Enable** string to: - ``` "Enable"="http:///api/records/" + ``` "Enable"="https:///api/records/" ``` Where `` points to your deployment URL. @@ -125,7 +125,7 @@ The required packages are automatically downloaded and included in the solution. **To view the report results** -- Go to `http:///List` to see the report results.

+- Go to `https:///List` to see the report results.

If you’re already on the webpage, you’ll need to refresh the page to see the results. ![Enterprise Mode Result report with details](images/ie-emie-reportwdetails.png) diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md index bb8a401b5c..47c4caf92b 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md +++ b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md @@ -176,7 +176,7 @@ Using the IIS Manager, you must restart both your Application Pool and your webs After you've created your database and website, you'll need to register yourself (or another employee) as an administrator for the Enterprise Mode Site List Portal. **To register as an administrator** -1. Open Microsoft Edge and type your website URL into the Address bar. For example, http://emieportal:8085. +1. Open Microsoft Edge and type your website URL into the Address bar. For example, https://emieportal:8085. 2. Click **Register now**. @@ -184,7 +184,7 @@ After you've created your database and website, you'll need to register yourself 4. Click **Administrator** from the **Role** box, and then click **Save**. -5. Append your website URL with `/#/EMIEAdminConsole` in the Address bar to go to your administrator console. For example, http://emieportal:8085/#/EMIEAdminConsole. +5. Append your website URL with `/#/EMIEAdminConsole` in the Address bar to go to your administrator console. For example, https://emieportal:8085/#/EMIEAdminConsole. A dialog box appears, prompting you for the system user name and password. The default user name is EMIEAdmin and the default password is Admin123. We strongly recommend that you change the password by using the **Change password** link as soon as you're done with your first visit. diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md index ea5b7d450b..ea9a56a081 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md +++ b/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md @@ -46,9 +46,9 @@ Besides turning on this feature, you also have the option to provide a URL for E Your **Value data** location can be any of the following types: -- **URL location (like, http://www.emieposturl.com/api/records or http://localhost:13000)**. IE sends a POST message to the URL every time a change is made to Enterprise Mode from the **Tools** menu.

**Important**
-The `http://www.emieposturl.com/api/records` example will only work if you’ve downloaded the sample discussed in the [Set up Enterprise Mode logging and data collection](set-up-enterprise-mode-logging-and-data-collection.md) topic. If you don’t have the sample, you won’t have the web API. -- **Local network location (like, http://*emieposturl*/)**. IE sends a POST message to your specified local network location every time a change is made to Enterprise Mode from the **Tools** menu. +- **URL location (like, https://www.emieposturl.com/api/records or https://localhost:13000)**. IE sends a POST message to the URL every time a change is made to Enterprise Mode from the **Tools** menu.

**Important**
+The `https://www.emieposturl.com/api/records` example will only work if you’ve downloaded the sample discussed in the [Set up Enterprise Mode logging and data collection](set-up-enterprise-mode-logging-and-data-collection.md) topic. If you don’t have the sample, you won’t have the web API. +- **Local network location (like, https://*emieposturl*/)**. IE sends a POST message to your specified local network location every time a change is made to Enterprise Mode from the **Tools** menu. - **Empty string**. If you leave the **Value data** box blank; your employees will be able to turn Enterprise Mode on and off from the **Tools** menu, but you won’t collect any logging data. For information about how to collect the data provided when your employees turn Enterprise Mode on or off from the **Tools** menu, see [Set up Enterprise Mode logging and data collection](set-up-enterprise-mode-logging-and-data-collection.md). diff --git a/browsers/internet-explorer/ie11-ieak/auto-config-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/auto-config-ieak11-wizard.md index b31c220601..440d2c7fc1 100644 --- a/browsers/internet-explorer/ie11-ieak/auto-config-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/auto-config-ieak11-wizard.md @@ -42,7 +42,7 @@ You can use the Domain Name System (DNS) and the Dynamic Host Configuration Prot - Type the location to your automatic proxy script file. **Note**
- If you specify URLs for both auto-config and auto-proxy, the auto-proxy URL will be incorporated into the .ins file. The correct form for the URL is `http://share/test.ins`. + If you specify URLs for both auto-config and auto-proxy, the auto-proxy URL will be incorporated into the .ins file. The correct form for the URL is `https://share/test.ins`. 3. Click **Next** to go to the [Proxy Settings](proxy-settings-ieak11-wizard.md) page or **Back** to go to the [Connection Settings](connection-settings-ieak11-wizard.md) page. diff --git a/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md b/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md index 0752aaac38..b14d4aa1ce 100644 --- a/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md +++ b/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md @@ -36,9 +36,9 @@ DHCP has a higher priority than DNS for automatic configuration. If DHCP provide - Open the [DHCP Administrative Tool](https://go.microsoft.com/fwlink/p/?LinkId=302212), create a new option type, using the code number 252, and then associate it with the URL to your configuration file. For detailed instructions about how to do this, see [Create an option 252 entry in DHCP](https://go.microsoft.com/fwlink/p/?LinkId=294649). **Examples:**
- `http://www.microsoft.com/webproxy.pac`
- `http://marketing/config.ins`
- `http://123.4.567.8/account.pac`

+ `https://www.microsoft.com/webproxy.pac`
+ `https://marketing/config.ins`
+ `https://123.4.567.8/account.pac`

For more detailed info about how to set up your DHCP server, see your server documentation. **To set up automatic detection for DNS servers** @@ -55,5 +55,5 @@ Create a canonical name (CNAME) alias record, named **WPAD**. This record lets y 2. After the database file propagates to the server, the DNS name, `wpad..com` resolves to the server name that includes your automatic configuration file. **Note**
-IE11 creates a default URL template based on the host name,**wpad**. For example, `http://wpad..com/wpad.dat`. Because of this, you need to set up a file or redirection point in your web server **WPAD** record, named **wpad.dat**. The **wpad.dat** record delivers the contents of your automatic configuration file. +IE11 creates a default URL template based on the host name,**wpad**. For example, `https://wpad..com/wpad.dat`. Because of this, you need to set up a file or redirection point in your web server **WPAD** record, named **wpad.dat**. The **wpad.dat** record delivers the contents of your automatic configuration file. diff --git a/browsers/internet-explorer/ie11-ieak/custombranding-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/custombranding-ins-file-setting.md index 9d4d9f6b4f..f404bf78cf 100644 --- a/browsers/internet-explorer/ie11-ieak/custombranding-ins-file-setting.md +++ b/browsers/internet-explorer/ie11-ieak/custombranding-ins-file-setting.md @@ -16,5 +16,5 @@ Provide the URL to your branding cabinet (.cab) file. |Name |Value | Description | |-----------|--------------------------------|--------------------------------------------------------------| -|Branding |`` |The location of your branding cabinet (.cab) file. For example, http://www.<your_server>.net/cabs/branding.cab.| +|Branding |`` |The location of your branding cabinet (.cab) file. For example, https://www.<your_server>.net/cabs/branding.cab.| diff --git a/browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md b/browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md index a4bbac4b2e..fde8b84b67 100644 --- a/browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md +++ b/browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md @@ -21,7 +21,7 @@ You can customize Automatic Search so that your employees can type a single word **To set up Automatic Search** -1. Create a script (.asp) file that conditionally looks for search terms, and post it to an intranet server here: http://ieautosearch/response.asp?MT=%1&srch=%2.

+1. Create a script (.asp) file that conditionally looks for search terms, and post it to an intranet server here: https://ieautosearch/response.asp?MT=%1&srch=%2.

For info about the acceptable values for the *%1* and *%2* parameters, see the [Automatic Search parameters](#automatic-search-parameters). For an example of the script file, see the [Sample Automatic Search script](#sample-automatic-search-script).

**Important**
If you aren’t using IIS in your company, you’ll need to remap this URL to your script file’s location. @@ -72,18 +72,18 @@ searchOption = Request.QueryString("srch") ' about filling out an expense report if (search = "NEW HIRE") then -Response.Redirect("http://admin/hr/newhireforms.htm") +Response.Redirect("https://admin/hr/newhireforms.htm") elseif (search = "LIBRARY CATALOG") then -Response.Redirect("http://library/catalog") +Response.Redirect("https://library/catalog") elseif (search = "EXPENSE REPORT") then -Response.Redirect("http://expense") +Response.Redirect("https://expense") elseif (search = "LUNCH MENU") then -Response.Redirect("http://cafe/menu/") +Response.Redirect("https://cafe/menu/") else ' If there is not a match, use the ' default IE autosearch server -Response.Redirect("http://auto.search.msn.com/response.asp?MT=" +Response.Redirect("https://auto.search.msn.com/response.asp?MT=" + search + "&srch=" + searchOption + "&prov=&utf8") end if diff --git a/browsers/internet-explorer/ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md index 60b082565b..604489d8fc 100644 --- a/browsers/internet-explorer/ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md @@ -17,7 +17,7 @@ The **Important URLS – Home Page and Support** page of the Internet Explorer C **To use the Important URLS – Home Page and Support page** 1. In the **Add a homepage URL** box, type the URL to the page your employees go to when they click the **Home** button, and then click **Add**.

-If you add multiple **Home** pages, each page appears on a separate tab in the browser. If you don’t add a custom **Home** page, IE uses http://www.msn.com by default. If you want to delete an existing page, click the URL and then click **Remove**. +If you add multiple **Home** pages, each page appears on a separate tab in the browser. If you don’t add a custom **Home** page, IE uses https://www.msn.com by default. If you want to delete an existing page, click the URL and then click **Remove**. 2. Check the **Retain previous Home Page (Upgrade)** box if you have employees with previous versions of IE, who need to keep their **Home** page settings when the browser is updated. diff --git a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md b/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md index 01197b4d33..056ef076a4 100644 --- a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md +++ b/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md @@ -55,6 +55,7 @@ During installation, you must pick a version of IEAK 11, either **External** or |Wizard complete | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | --- + ## Customization guidelines Two installation modes are available to you, depending on how you are planning to use the customized browser created with the software. Each mode requires a separate installation of the software. diff --git a/browsers/internet-explorer/ie11-ieak/proxy-auto-config-examples.md b/browsers/internet-explorer/ie11-ieak/proxy-auto-config-examples.md index 9a57aef1fa..5e04f4e473 100644 --- a/browsers/internet-explorer/ie11-ieak/proxy-auto-config-examples.md +++ b/browsers/internet-explorer/ie11-ieak/proxy-auto-config-examples.md @@ -127,7 +127,7 @@ In this example, the proxy server is selected by translating the host name into ``` javascript function FindProxyForURL(url, host) { - if (dnsResolve(host) == "999.99.99.999") { // = http://secproxy + if (dnsResolve(host) == "999.99.99.999") { // = https://secproxy return "PROXY secproxy:8080"; } else { diff --git a/browsers/internet-explorer/ie11-ieak/proxy-settings-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/proxy-settings-ieak11-wizard.md index c29f790845..22252bf546 100644 --- a/browsers/internet-explorer/ie11-ieak/proxy-settings-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/proxy-settings-ieak11-wizard.md @@ -21,7 +21,7 @@ Using a proxy server lets you limit access to the Internet. You can also use the 1. Check the **Enable proxy settings** box if you want to use proxy servers for any of your services. 2. Type the address of the proxy server you want to use for your services into the **Address of proxy** box. In most cases, a single proxy server is used for all of your services.

-Proxy locations that don’t begin with a protocol (like, http:// or ftp://) are assumed to be a CERN-type HTTP proxy. For example, the entry *proxy* is treated the same as the entry `http://proxy`. +Proxy locations that don’t begin with a protocol (like, https:// or ftp://) are assumed to be a CERN-type HTTP proxy. For example, the entry *proxy* is treated the same as the entry `https://proxy`. 3. Type the port for each service. The default value is *80*. @@ -30,7 +30,7 @@ Proxy locations that don’t begin with a protocol (like, http:// or ftp://) are 5. Type any services that shouldn’t use a proxy server into the **Do not use proxy server for addresses beginning with** box.

When filling out your exceptions, keep in mind: - - Proxy bypass entries can begin with a protocol type, such as http://, https://, or ftp://. However, if a protocol type is used, the exception entry applies only to requests for that protocol. + - Proxy bypass entries can begin with a protocol type, such as https://, https://, or ftp://. However, if a protocol type is used, the exception entry applies only to requests for that protocol. - Protocol values are not case sensitive and you can use a wildcard character (*) in place of zero or more characters. diff --git a/browsers/internet-explorer/ie11-ieak/search-providers-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/search-providers-ieak11-wizard.md index 0e48aa99c7..3633d298c1 100644 --- a/browsers/internet-explorer/ie11-ieak/search-providers-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/search-providers-ieak11-wizard.md @@ -25,7 +25,7 @@ The **Search Provider** box appears. 3. In the **Display Name** box, type the text that appears in the **Search Options** menu for the search provider. -4. In the **URL** box, type the full URL to the search provider, including the http:// prefix. +4. In the **URL** box, type the full URL to the search provider, including the https:// prefix. 5. In the **Favicon URL** box, type the full URL to any icon to associate with your provider. diff --git a/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md b/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md index 2526c4f33b..8f9826a8b5 100644 --- a/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md +++ b/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md @@ -57,7 +57,7 @@ Internet Explorer Setup can switch servers during the installation process to ma To address connection issues (for example, as a result of server problems) where Setup can’t locate another download site by default, we recommend you overwrite your first download server using this workaround: ``` syntax -\ie11setup.exe /C:"ie11wzd.exe /S:""\ie11setup.exe"" /L:""http://your_Web_server/your_Web_site/ie11sites.dat""" +\ie11setup.exe /C:"ie11wzd.exe /S:""\ie11setup.exe"" /L:""https://your_Web_server/your_Web_site/ie11sites.dat""" ``` Where `` represents the folder location where you stored IE11setup.exe. diff --git a/browsers/internet-explorer/nndxczrp.ojy.json b/browsers/internet-explorer/nndxczrp.ojy.json deleted file mode 100644 index 824a00e16b..0000000000 Binary files a/browsers/internet-explorer/nndxczrp.ojy.json and /dev/null differ diff --git a/devices/hololens/TOC.md b/devices/hololens/TOC.md index bec5bec56b..b314f85b52 100644 --- a/devices/hololens/TOC.md +++ b/devices/hololens/TOC.md @@ -1,8 +1,9 @@ # [Microsoft HoloLens](index.md) ## [What's new in Microsoft HoloLens](hololens-whats-new.md) -## [Insider preview for Microsoft HoloLens](hololens-insider.md) ## [HoloLens in the enterprise: requirements and FAQ](hololens-requirements.md) +## [Insider preview for Microsoft HoloLens](hololens-insider.md) ## [Set up HoloLens](hololens-setup.md) +## [Install localized version of HoloLens](hololens-install-localized.md) ## [Unlock Windows Holographic for Business features](hololens-upgrade-enterprise.md) ## [Enroll HoloLens in MDM](hololens-enroll-mdm.md) ## [Manage updates to HoloLens](hololens-updates.md) @@ -11,4 +12,5 @@ ## [Configure HoloLens using a provisioning package](hololens-provisioning.md) ## [Install apps on HoloLens](hololens-install-apps.md) ## [Enable Bitlocker device encryption for HoloLens](hololens-encryption.md) +## [How HoloLens stores data for spaces](hololens-spaces.md) ## [Change history for Microsoft HoloLens documentation](change-history-hololens.md) \ No newline at end of file diff --git a/devices/hololens/change-history-hololens.md b/devices/hololens/change-history-hololens.md index 0b9f30c11d..1fc820a243 100644 --- a/devices/hololens/change-history-hololens.md +++ b/devices/hololens/change-history-hololens.md @@ -9,13 +9,24 @@ author: jdeckerms ms.author: jdecker ms.topic: article ms.localizationpriority: medium -ms.date: 10/23/2018 +ms.date: 11/05/2018 --- # Change history for Microsoft HoloLens documentation This topic lists new and updated topics in the [Microsoft HoloLens documentation](index.md). +## Windows 10 Holographic for Business, version 1809 + +The topics in this library have been updated for Windows 10 Holographic for Business, version 1809. + +## November 2018 + +New or changed topic | Description +--- | --- +[How HoloLens stores data for spaces](hololens-spaces.md) | New + + ## October 2018 New or changed topic | Description @@ -25,11 +36,12 @@ New or changed topic | Description [Microsoft Dynamics 365 Layout app](hololens-microsoft-dynamics-365-layout-app.md) | Removed, and redirected to [Overview of Dynamics 365 Layout](https://docs.microsoft.com/dynamics365/mixed-reality/layout/) [Insider preview for Microsoft HoloLens](hololens-insider.md) | Added instructions for opting out of Insider builds. + ## July 2018 New or changed topic | Description --- | --- -[Insider preview for Microsoft HoloLens](hololens-insider.md) | New +Insider preview for Microsoft HoloLens | New (topic retired on release of Windows 10, version 1809) ## June 2018 diff --git a/devices/hololens/hololens-insider.md b/devices/hololens/hololens-insider.md index c11b07759d..3a90c8fe68 100644 --- a/devices/hololens/hololens-insider.md +++ b/devices/hololens/hololens-insider.md @@ -37,77 +37,11 @@ To opt out of Insider builds: - On a HoloLens running a production build, go to **Settings > Update & Security > Windows Insider Program**, and select **Stop Insider builds**. - Follow the instructions to opt out your device. -## New features for HoloLens - -The latest Insider Preview (RS5) has arrived for all HoloLens customers! This latest flight is packed with improvements that have been introduced since the [last major release of HoloLens software in May 2018](https://docs.microsoft.com/windows/mixed-reality/release-notes-october-2018). -### For everyone - - -Feature | Details | Instructions ---- | --- | --- -Stop video capture from the Start or quick actions menu | If you start video capture from the Start menu or quick actions menu, you’ll be able to stop recording from the same place. (Don’t forget, you can always do this with voice commands too.) | To start recording, select **Start > Video**. To stop recording, select **Start > Stop video**. -Project to a Miracast-enabled device | Project your HoloLens content to a nearby Surface device or TV/Monitor if using Microsoft Display adapter | On **Start**, select **Connect**. Select the device you want to project to. -New notifications | View and respond to notification toasts on HoloLens, just like you do on a PC. | You’ll now see notifications from apps that provide them. Gaze to respond to or dismiss them (or if you’re in an immersive experience, use the bloom gesture). -HoloLens overlays (file picker, keyboard, dialogs, etc.) | You’ll now see overlays such as the keyboard, dialogs, file picker, etc. when using immersive apps. | When you’re using an immersive app, input text, select a file from the file picker, or interact with dialogs without leaving the app. -Visual feedback overlay UI for volume change | When you use the volume up/down buttons on your HoloLens you’ll see a visual display of the volume level. | Adjust the device volume using the volume up/down buttons located on the right arm of the HoloLens. Use the visual display to track the volume level. -New UI for device boot | A loading indicator was added during the boot process to provide visual feedback that the system is loading. | Reboot your device to see the new loading indicator—it’s between the "Hello" message and the Windows boot logo. -Share UX: Nearby Sharing | Addition of the Windows Nearby Sharing experience, allowing you to share a capture with a nearby Windows device. | Capture a photo or video on HoloLens (or use the share button from an app such as Microsoft Edge). Select a nearby Windows device to share with. -Share from Microsoft Edge | Share button is now available on Microsoft Edge windows on HoloLens. | In Microsoft Edge, select **Share**. Use the HoloLens share picker to share web content. - -### For developers - -- Support for Holographic [Camera Capture UI API](https://docs.microsoft.com/windows/uwp/audio-video-camera/capture-photos-and-video-with-cameracaptureui), which will let developers expose a way for users to seamlessly invoke camera or video capture from within their applications. For example, users can now capture and insert photo or video content directly within apps like Word. -- Mixed Reality Capture has been improved to exclude hidden mesh from captures, which means videos captures by apps will no longer contain black corners around the content. - -### For commercial customers - - -Feature | Details | Instructions ---- | --- | --- -Enable post-setup provisioning | Can now apply a runtime provisioning package at any time using **Settings**. | On your PC:

1. Create a provisioning package as described at [Create a provisioning package for HoloLens using the HoloLens wizard](hololens-provisioning.md).
2. Connect the HoloLens device via USB to a PC. HoloLens will show up as a device in File Explorer on the PC.
3. Drag and drop the provisioning package to the Documents folder on the HoloLens.

On your HoloLens:

1. Go to **Settings > Accounts > Access work or school**.
2. In **Related Settings**, select **Add or remove a provisioning package**.
3. On the next page, select **Add a package** to launch the file picker and select your provisioning package.
**Note:** if the folder is empty, make sure you select **This Device** and select **Documents**.
After your package has been applied, it will show in the list of Installed packages. To view package details or to remove the package from the device, select the listed package. -Assigned access with Azure AD groups | Flexibility to use Azure AD groups for configuration of Windows assigned access to set up single or multi-app kiosk configuration. | Prepare XML file to configure Assigned Access on PC:

1. In a text editor, open [the provided file AssignedAccessHoloLensConfiguration_AzureADGroup.xml](#xml).
2. Change the group ID to one available in your Azure AD tenant. You can find the group ID of an Azure Active Directory Group by either :
- following the steps at [Azure Active Directory version 2 cmdlets for group management](https://docs.microsoft.com/azure/active-directory/active-directory-accessmanagement-groups-settings-v2-cmdlets),
OR
- in the Azure portal, with the steps at [Manage the settings for a group in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-groups-settings-azure-portal).

**Note:** The sample configures the following apps: Skype, Learning, Feedback Hub, Flow, Camera, and Calibration.

Create provisioning package with WCD:

1. On a PC, follow the steps at [Create a provisioning package for HoloLens using the HoloLens wizard](hololens-provisioning.md) to create a provisioning package.
2. Ensure that you include the license file in **Set up device**.
3. Select **Switch to advanced editor** (bottom left), and **Yes** for warning prompt.
4. Expand the runtime settings selection in the **Available customizations** panel and select **AssignedAccess > MultiAppAssignedAccessSettings**.
5. In the middle panel, you should now see the setting displayed with documentation in the panel below. Browse to the XML you modified for Assigned Access.
6. On the **Export** menu, select **Provisioning package**.
**Warning:** If you encrypt the provisioning package, provisioning the HoloLens device will fail.
7. Select **Next** to specify the output location where you want the provisioning package to go once it's built.
8. Select **Next**, and then select **Build** to start building the package.
9. When the build completes, select **Finish**.

Apply the package to HoloLens:

1. Connect HoloLens via USB to a PC and start the device, but do not continue past the **Fit** page of OOBE (the first page with the blue box). HoloLens will show up as a device in File Explorer on the PC.
2. In File Explorer, drag and drop the provisioning package (.ppkg) onto the device storage.
3. Briefly press and release the **Volume Down** and **Power** buttons simultaneously again while on the fit page.
4. The device will ask you if you trust the package and would like to apply it. Confirm that you trust the package.
5. You will see whether the package was applied successfully or not. If it failed, you can fix your package and try again. If it succeeded, proceed with OOBE.

Enable assigned access on HoloLens:

1. After applying the provisioning package, during the **Account Setup** flows in OOBE, select **My work or school owns this** to set up your device with an Azure AD account.
**Note:** This account must not be in the group chosen for Assigned Access.
2. Once you reach the Shell, ensure the Skype app is installed either via your MDM environment or from the Store.
3. After the Skype app is installed, sign out.
4. On the sign-in screen, select the **Other User** option and enter an Azure AD account email address that belongs to the group chosen for Assigned Access. Then enter the password to sign in. You should now see this user with only the apps configured in the Assigned Access profile. -PIN sign-in on profile switch from sign-in screen | PIN sign-in is now available for **Other User**.  | When signing in as **Other User**, the PIN option is now available under **Sign-In options**. -Sign in with Web Cred Provider using password | You can now select the Globe sign-in option to launch web sign-in with your password. Look for additional web sign-in methods coming in the future. | From the sign-in screen, select **Sign-In options** and select the Globe option to launch web sign-in. Enter your user name if needed, then your password.
**Note:** You can choose to bypass any PIN/Smartcard options when prompted during web sign-in.  -Read device hardware info through MDM so devices can be tracked by serial # | IT administrators can see and track HoloLens by device serial number in their MDM console. | Refer to your MDM documentation for feature availability, and for how to use your MDM console to view HoloLens device serial number. -Set HoloLens device name through MDM (rename) |  IT administrators can see and rename HoloLens devices in their MDM console. | Refer to your MDM documentation for feature availability, and for how to use your MDM console to view and set your HoloLens device name (rename). - -### For international customers - - -Feature | Details | Instructions ---- | --- | --- -Localized Chinese and Japanese builds | Use HoloLens with localized user interface for Simplified Chinese or Japanese, including localized Pinyin keyboard, dictation, and voice commands. | See below. - -#### Installing the Chinese or Japanese versions of the Insider builds - -In order to switch to the Chinese or Japanese version of HoloLens, you’ll need to download the build for the language on a PC and then install it on your HoloLens using the Windows Device Recovery Tool (WDRT). - ->[!IMPORTANT] ->Installing the Chinese or Japanese builds of HoloLens using WDRT will delete existing data, like personal files and settings, from your HoloLens. - -1. On a retail HoloLens device, [opt in to Insider Preview builds](#get-insider) to prepare your device for the RS5 Preview. -2. On your PC, download and install [the Windows Device Recovery Tool (WDRT)](https://support.microsoft.com/help/12379). -3. Download the package for the language you want to your PC: [Simplified Chinese](https://aka.ms/hololenspreviewdownload-ch) or [Japanese](https://aka.ms/hololenspreviewdownload-jp). -4. When the download is finished, select **File Explorer > Downloads**. Right-click the zipped folder you just downloaded, and select **Extract all... > Extract** to unzip it. -5. Connect your HoloLens to your PC using the micro-USB cable it came with. (Even if you've been using other cables to connect your HoloLens, this one works best.)  -6. The tool will automatically detect your HoloLens. Select the Microsoft HoloLens tile. -7. On the next screen, select **Manual package selection** and choose the installation file contained in the folder you unzipped in step 4. (Look for a file with the extension “.ffu”.) -8. Select **Install software** and follow the instructions to finish installing. -9. Once the build is installed, HoloLens setup will start automatically. Put on the device and follow the setup directions. -10. After you complete setup, go to **Settings -> Update & Security -> Windows Insider Program** and select **Get started**. Link the account you used to register as a Windows Insider. Then, select **Active development of Windows**, choose whether you’d like to receive **Fast** or **Slow** builds, and review the program terms. Select **Confirm -> Restart Now** to finish up. After your device has rebooted, go to **Settings -> Update & Security -> Check for updates** to get the latest build. - - - - -## Note for language support - -- You can’t change the system language between English, Japanese, and Chinese using the Settings app. Flashing a new build is the only supported way to change the device system language. -- While you can enter Simplified Chinese / Japanese text using the on-screen Pinyin keyboard, typing in Simplified Chinese / Japanese using a Bluetooth hardware keyboard is not supported at this time. However, on Chinese/Japanese HoloLens, you can continue to use a BT keyboard to type in English (the Shift key on a hardware keyboard toggles the keyboard to type in English). ## Note for developers -You are welcome and encouraged to try developing your applications using this build of HoloLens. Check out the [HoloLens Developer Documentation](https://developer.microsoft.com/windows/mixed-reality/development) to get started. Those same instructions work with this latest build of HoloLens. You can use the same builds of Unity and Visual Studio that you're already using for HoloLens development. +You are welcome and encouraged to try developing your applications using Insider builds of HoloLens. Check out the [HoloLens Developer Documentation](https://developer.microsoft.com/windows/mixed-reality/development) to get started. Those same instructions work with Insider builds of HoloLens. You can use the same builds of Unity and Visual Studio that you're already using for HoloLens development. ## Provide feedback and report issues @@ -116,75 +50,3 @@ Please use [the Feedback Hub app](https://docs.microsoft.com/windows/mixed-reali >[!NOTE] >Be sure to accept the prompt that asks whether you’d like Feedback Hub to access your Documents folder (select **Yes** when prompted). - -## AssignedAccessHoloLensConfiguration_AzureADGroup.xml - -Copy this sample XML to use for the [**Assigned access with Azure AD groups** feature](#for-commercial-customers). - -```xml - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ]]> - - - - - - - - - - - - - - -``` - diff --git a/devices/hololens/hololens-install-localized.md b/devices/hololens/hololens-install-localized.md new file mode 100644 index 0000000000..8e5a72150a --- /dev/null +++ b/devices/hololens/hololens-install-localized.md @@ -0,0 +1,35 @@ +--- +title: Install localized versions of HoloLens (HoloLens) +description: Learn how to install the Chinese or Japanese versions of HoloLens +ms.prod: hololens +ms.mktglfcycl: manage +ms.sitesec: library +author: jdeckerms +ms.author: jdecker +ms.topic: article +ms.localizationpriority: medium +ms.date: 11/13/2018 +--- + +# Install localized versions of HoloLens + +In order to switch to the Chinese or Japanese version of HoloLens, you’ll need to download the build for the language on a PC and then install it on your HoloLens using the Windows Device Recovery Tool (WDRT). + +>[!IMPORTANT] +>Installing the Chinese or Japanese builds of HoloLens using WDRT will delete existing data, like personal files and settings, from your HoloLens. + + +2. On your PC, download and install [the Windows Device Recovery Tool (WDRT)](https://support.microsoft.com/help/12379). +3. Download the package for the language you want to your PC: [Simplified Chinese](https://aka.ms/hololensdownload-ch) or [Japanese](https://aka.ms/hololensdownload-jp). +4. When the download is finished, select **File Explorer > Downloads**. Right-click the zipped folder you just downloaded, and select **Extract all... > Extract** to unzip it. +5. Connect your HoloLens to your PC using the micro-USB cable it came with. (Even if you've been using other cables to connect your HoloLens, this one works best.)  +6. The tool will automatically detect your HoloLens. Select the Microsoft HoloLens tile. +7. On the next screen, select **Manual package selection** and choose the installation file contained in the folder you unzipped in step 4. (Look for a file with the extension “.ffu”.) +8. Select **Install software** and follow the instructions to finish installing. +9. Once the build is installed, HoloLens setup will start automatically. Put on the device and follow the setup directions. + + +## Note for language support + +- You can’t change the system language between English, Japanese, and Chinese using the Settings app. Flashing a new build is the only supported way to change the device system language. +- While you can enter Simplified Chinese / Japanese text using the on-screen Pinyin keyboard, typing in Simplified Chinese / Japanese using a Bluetooth hardware keyboard is not supported at this time. However, on Chinese/Japanese HoloLens, you can continue to use a BT keyboard to type in English (the ~ key on a hardware keyboard toggles the keyboard to type in English). diff --git a/devices/hololens/hololens-kiosk.md b/devices/hololens/hololens-kiosk.md index 5e1218f90c..c888927596 100644 --- a/devices/hololens/hololens-kiosk.md +++ b/devices/hololens/hololens-kiosk.md @@ -7,7 +7,7 @@ author: jdeckerms ms.author: jdecker ms.topic: article ms.localizationpriority: medium -ms.date: 08/14/2018 +ms.date: 11/13/2018 --- # Set up HoloLens in kiosk mode @@ -20,7 +20,17 @@ When HoloLens is configured as a multi-app kiosk, only the allowed apps are avai Single-app kiosk mode starts the specified app when the user signs in, and restricts the user's ability to launch new apps or change the running app. When single-app kiosk mode is enabled for HoloLens, the bloom gesture and Cortana are disabled, and placed apps aren't shown in the user's surroundings. -The [AssignedAccess Configuration Service Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) enables kiosk configuration. +The following table lists the device capabilities in the different kiosk modes. + +Kiosk mode | Voice and Bloom commands | Quick actions menu | Camera and video | Miracast +--- | --- | --- | --- | --- +Single-app kiosk | ![no](images/crossmark.png) | ![no](images/crossmark.png) | ![no](images/crossmark.png) | ![no](images/crossmark.png) +Multi-app kiosk | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) with **Home** and **Volume** (default)

Photo and video buttons shown in Quick actions menu if the Camera app is enabled in the kiosk configuration.

Miracast is shown if the Camera app and device picker app are enabled in the kiosk configuration. | ![yes](images/checkmark.png) if the Camera app is enabled in the kiosk configuration. | ![yes](images/checkmark.png) if the Camera app and device picker app are enabled in the kiosk configuration. + +>[!NOTE] +>Use the Application User Model ID (AUMID) to allow apps in your kiosk configuration. The Camera app AUMID is `HoloCamera_cw5n1h2txyewy!HoloCamera`. The device picker app AUMID is `HoloDevicesFlow_cw5n1h2txyewy!HoloDevicesFlow`. + +The [AssignedAccess Configuration Service Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) enables kiosk configuration. >[!WARNING] >The assigned access feature which enables kiosk mode is intended for corporate-owned fixed-purpose devices. When the multi-app assigned access configuration is applied on the device, certain policies are enforced system-wide, and will impact other users on the device. Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all [the enforced policies](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps#policies-set-by-multi-app-kiosk-configuration). A factory reset is needed to clear all the policies enforced via assigned access. @@ -145,7 +155,8 @@ Use the following snippet in your kiosk configuration XML to enable the **Guest* ![Screenshot of the MultiAppAssignedAccessSettings field in Windows Configuration Designer](images/multiappassignedaccesssettings.png) - +8. (**Optional**: If you want to apply the provisioning package after device initial setup and there is an admin user already available on the kiosk device, skip this step.) Create an admin user account in **Runtime settings** > **Accounts** > **Users**. Provide a **UserName** and **Password**, and select **UserGroup** as **Administrators**. With this account, you can view the provisioning status and logs if needed. +8. (**Optional**: If you already have a non-admin account on the kiosk device, skip this step.) Create a local standard user account in **Runtime settings** > **Accounts** > **Users**. Make sure the **UserName** is the same as the account that you specify in the configuration XML. Select **UserGroup** as **Standard Users**. 8. On the **File** menu, select **Save.** 9. On the **Export** menu, select **Provisioning package**. 10. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.** diff --git a/devices/hololens/hololens-provisioning.md b/devices/hololens/hololens-provisioning.md index c1a90edadb..00a7436e23 100644 --- a/devices/hololens/hololens-provisioning.md +++ b/devices/hololens/hololens-provisioning.md @@ -7,7 +7,7 @@ author: jdeckerms ms.author: jdecker ms.topic: article ms.localizationpriority: medium -ms.date: 04/30/2018 +ms.date: 11/13/2018 --- # Configure HoloLens using a provisioning package @@ -49,8 +49,7 @@ Provisioning packages can include management instructions and policies, customiz > [!TIP] > Use the desktop wizard to create a package with the common settings, then switch to the advanced editor to add other settings, apps, policies, etc. -> ->![open advanced editor](images/icd-simple-edit.png) + ### Create the provisioning package @@ -77,8 +76,8 @@ Use the Windows Configuration Designer tool to create a provisioning package. ![step two](images/two.png) ![set up network](images/set-up-network.png)

Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network.![Enter network SSID and type](images/set-up-network-details-desktop.png) ![step three](images/three.png) ![account management](images/account-management.png)

You can enroll the device in Azure Active Directory, or create a local account on the device

Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions.

To create a local account, select that option and enter a user name and password.

**Important:** (For Windows 10, version 1607 only) If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. ![join Azure AD or create a local account](images/account-management-details.png) ![step four](images/four.png) ![add certificates](images/add-certificates.png)

To provision the device with a certificate, click **Add a certificate**. Enter a name for the certificate, and then browse to and select the certificate to be used.![add a certificate](images/add-certificates-details.png) -![Developer Setup](images/developer-setup.png)

Toggle **Yes** or **No** to enable Developer Mode on the HoloLens. [Learn more about Developer Mode.](https://docs.microsoft.com/windows/uwp/get-started/enable-your-device-for-development#developer-mode)![Enable Developer Mode](images/developer-setup-details.png) -![finish](images/finish.png)

Do not set a password to protect your provisioning package. If the provisioning package is protected by a password, provisioning the HoloLens device will fail.![Protect your package](images/finish-details.png) +![step five](images/five.png) ![Developer Setup](images/developer-setup.png)

Toggle **Yes** or **No** to enable Developer Mode on the HoloLens. [Learn more about Developer Mode.](https://docs.microsoft.com/windows/uwp/get-started/enable-your-device-for-development#developer-mode)![Enable Developer Mode](images/developer-setup-details.png) +![step six](images/six.png) ![finish](images/finish.png)

Do not set a password to protect your provisioning package. If the provisioning package is protected by a password, provisioning the HoloLens device will fail.![Protect your package](images/finish-details.png) After you're done, click **Create**. It only takes a few seconds. When the package is built, the location where the package is stored is displayed as a hyperlink at the bottom of the page. @@ -137,7 +136,7 @@ After you're done, click **Create**. It only takes a few seconds. When the packa 10. When the build completes, click **Finish**. -## Apply a provisioning package to HoloLens +## Apply a provisioning package to HoloLens during setup 1. Connect the device via USB to a PC and start the device, but do not continue past the **Fit** page of OOBE (the first page with the blue box). @@ -156,6 +155,23 @@ After you're done, click **Create**. It only takes a few seconds. When the packa >[!NOTE] >If the device was purchased before August 2016, you will need to sign into the device with a Microsoft account, get the latest OS update, and then reset the OS in order to apply the provisioning package. +## Apply a provisioning package to HoloLens after setup + +>[!NOTE] +>Windows 10, version 1809 only + +On your PC: +1. Create a provisioning package as described at [Create a provisioning package for HoloLens using the HoloLens wizard](hololens-provisioning.md). +2. Connect the HoloLens device via USB to a PC. HoloLens will show up as a device in File Explorer on the PC. +3. Drag and drop the provisioning package to the Documents folder on the HoloLens. + +On your HoloLens: +1. Go to **Settings > Accounts > Access work or school**. +2. In **Related Settings**, select **Add or remove a provisioning package**. +3. On the next page, select **Add a package** to launch the file picker and select your provisioning package. If the folder is empty, make sure you select **This Device** and select **Documents**. + +After your package has been applied, it will show in the list of **Installed packages**. To view package details or to remove the package from the device, select the listed package. + ## What you can configure Provisioning packages make use of configuration service providers (CSPs). If you're not familiar with CSPs, see [Introduction to configuration service providers (CSPs) for IT pros](https://technet.microsoft.com/itpro/windows/manage/how-it-pros-can-use-configuration-service-providers). diff --git a/devices/hololens/hololens-spaces.md b/devices/hololens/hololens-spaces.md new file mode 100644 index 0000000000..19307fdfb6 --- /dev/null +++ b/devices/hololens/hololens-spaces.md @@ -0,0 +1,69 @@ +--- +title: How HoloLens stores data for spaces (HoloLens) +description: +ms.prod: hololens +ms.sitesec: library +author: jdeckerms +ms.author: jdecker +ms.topic: article +ms.localizationpriority: medium +ms.date: 11/05/2018 +--- + +# How HoloLens stores data for spaces + +In the Windows 10, version 1803 update for Microsoft HoloLens, the mapping data for [spaces](https://support.microsoft.com/help/13760/hololens-spaces-on-hololens) is stored in a local database. + +The map database is not exposed to a user of the device, even when plugged into a PC or when using the File Explorer app. When BitLocker is enabled, the stored map data is also encrypted with the entire volume. + +Holograms that are anchored within the same map section are considered to be “nearby” in the current space. + + +## Frequently asked questions + +**How can I remove map data and known spaces from the HoloLens?** + +There are two options for deleting map data in **Settings > System > Holograms**: + +- Select **Remove nearby holograms** to delete nearby holograms, clearing the map data and anchored holograms for the current space. A brand new map section would be created and stored in the database for that location while the device is used there. This option can be used to clear the map data for work without affecting any map data from home, for example. +- Select **Remove all holograms** to delete all holograms, clearing all locally stored map data and anchored holograms. No holograms will be rediscovered and any holograms need to be newly placed. + +>[!NOTE] +>When you remove nearby or all holograms, HoloLens immediately starts scanning and mapping the current space. + +**How does Wi-Fi data get used by HoloLens and where is the data stored?** + +As long as Wi-Fi is enabled, map data will be correlated with nearby Wi-Fi access points. There is no difference in behavior if a network is connected or just nearby. Network characteristics are not sent to Microsoft, and all Wi-Fi references are kept local on the HoloLens. + +Wi-Fi characteristics are stored locally to help correlate hologram locations and map sections stored within HoloLens’ database of known spaces. It’s inaccessible to users, and not sent to Microsoft via the cloud or via telemetry. + + + +**Does HoloLens need to be connected to the internet?** + +No, internet connectivity is not required. Observed Wi-Fi access points are obtained without being connected or authenticated. It does not change functionality if the access points are internet connected or intranet/local only. + + + + + +**Since HoloLens no longer requires you to select a space when Wi-Fi is disabled, how does it find the space automatically?** + +If Wi-Fi is disabled, the space search can still happen; HoloLens will need to search more of the map data within the spaces database, and finding holograms can take longer. + +HoloLens will sense and remember spaces even when Wi-Fi is disabled, by securely storing the sensor data when holograms are placed. Without the Wi-Fi info, the space and holograms may be slower to recognize at a later time, as the HoloLens needs to compare active scans to all hologram anchors and map sections stored on the device in order to locate the correct portion of the map. + +HoloLens will visually compare the current scanning data from the sensors to locally stored map sections in the entire spaces database. It will locate holograms faster if the Wi-Fi characteristics can be found, to narrow down the number of spaces to compare. + + + + +  + + + +## Related topics + +- [Environment considerations for HoloLens](https://docs.microsoft.com/windows/mixed-reality/environment-considerations-for-hololens) +- [Spatial mapping design](https://docs.microsoft.com/windows/mixed-reality/spatial-mapping-design) +- [HoloLens and holograms: FAQ](https://support.microsoft.com/help/13456/hololens-and-holograms-faq) diff --git a/devices/hololens/hololens-whats-new.md b/devices/hololens/hololens-whats-new.md index 75556a83db..4648c8b5d9 100644 --- a/devices/hololens/hololens-whats-new.md +++ b/devices/hololens/hololens-whats-new.md @@ -1,18 +1,60 @@ --- title: What's new in Microsoft HoloLens (HoloLens) -description: Windows Holographic for Business gets new features in Windows 10, version 1803. +description: Windows Holographic for Business gets new features in Windows 10, version 1809. ms.prod: hololens ms.sitesec: library author: jdeckerms ms.author: jdecker ms.topic: article ms.localizationpriority: medium -ms.date: 04/30/2018 +ms.date: 11/13/2018 --- # What's new in Microsoft HoloLens +## Windows 10, version 1809 for Microsoft HoloLens +### For everyone + +Feature | Details +--- | --- +Quick actions menu | When you're in an app, the Bloom gesture will now open a Quick actions menu to give you quick access to commonly used system features without having to leave the app. See [Set up HoloLens in kiosk mode](hololens-kiosk.md) for information about the Quick actions menu in kiosk mode.

![sample of the Quick actions menu](images/minimenu.png) +Stop video capture from the Start or quick actions menu | If you start video capture from the Start menu or quick actions menu, you’ll be able to stop recording from the same place. (Don’t forget, you can always do this with voice commands too.) +Project to a Miracast-enabled device | Project your HoloLens content to a nearby Surface device or TV/Monitor if using Microsoft Display adapter. On **Start**, select **Connect**, and then select the device you want to project to. **Note:** You can deploy HoloLens to use Miracast projection without enabling developer mode. +New notifications | View and respond to notification toasts on HoloLens, just like you do on a PC. Gaze to respond to or dismiss them (or if you’re in an immersive experience, use the bloom gesture). +HoloLens overlays (file picker, keyboard, dialogs, etc.) | You’ll now see overlays such as the keyboard, dialogs, file picker, etc. when using immersive apps. +Visual feedback overlay UI for volume change | When you use the volume up/down buttons on your HoloLens you’ll see a visual display of the volume level. +New UI for device boot | A loading indicator was added during the boot process to provide visual feedback that the system is loading. Reboot your device to see the new loading indicator—it’s between the "Hello" message and the Windows boot logo. +Share UX: Nearby Sharing | Addition of the Windows Nearby Sharing experience, allowing you to share a capture with a nearby Windows device. When you capture a photo or video on HoloLens (or use the share button from an app such as Microsoft Edge), select a nearby Windows device to share with. +Share from Microsoft Edge | Share button is now available on Microsoft Edge windows on HoloLens. In Microsoft Edge, select **Share**. Use the HoloLens share picker to share web content. + + + +### For administrators + + +Feature | Details +--- | --- +[Enable post-setup provisioning](hololens-provisioning.md) | You can now apply a runtime provisioning package at any time using **Settings**. +Assigned access with Azure AD groups | You can now use Azure AD groups for configuration of Windows assigned access to set up single or multi-app kiosk configuration. +PIN sign-in on profile switch from sign-in screen | PIN sign-in is now available for **Other User**.  | When signing in as **Other User**, the PIN option is now available under **Sign-In options**. +Sign in with Web Credential Provider using password | You can now select the Globe sign-in option to launch web sign-in with your password. From the sign-in screen, select **Sign-In options** and select the Globe option to launch web sign-in. Enter your user name if needed, then your password.
**Note:** You can choose to bypass any PIN/Smartcard options when prompted during web sign-in.  +Read device hardware info through MDM so devices can be tracked by serial # | IT administrators can see and track HoloLens by device serial number in their MDM console. Refer to your MDM documentation for feature availability and instructions. +Set HoloLens device name through MDM (rename) |  IT administrators can see and rename HoloLens devices in their MDM console. Refer to your MDM documentation for feature availability and instructions. + +### For international customers + + +Feature | Details +--- | --- +Localized Chinese and Japanese builds | Use HoloLens with localized user interface for Simplified Chinese or Japanese, including localized Pinyin keyboard, dictation, and voice commands. +Speech Synthesis (TTS) | Speech synthesis feature now supports Chinese, Japanese, and English. + +[Learn how to install the Chinese and Japanese versions of HoloLens.](hololens-install-localized.md) + + + +## Windows 10, version 1803 for Microsoft HoloLens Windows 10, version 1803, is the first feature update to Windows Holographic for Business since its release in Windows 10, version 1607. This update introduces the following changes: diff --git a/devices/hololens/images/account-management-details.png b/devices/hololens/images/account-management-details.png index 4094dabd85..20816830a4 100644 Binary files a/devices/hololens/images/account-management-details.png and b/devices/hololens/images/account-management-details.png differ diff --git a/devices/hololens/images/account-management.PNG b/devices/hololens/images/account-management.PNG index 34165dfcd6..da53cb74b8 100644 Binary files a/devices/hololens/images/account-management.PNG and b/devices/hololens/images/account-management.PNG differ diff --git a/devices/hololens/images/add-certificates.PNG b/devices/hololens/images/add-certificates.PNG index 24cb605d1c..7a16dffd26 100644 Binary files a/devices/hololens/images/add-certificates.PNG and b/devices/hololens/images/add-certificates.PNG differ diff --git a/devices/hololens/images/developer-setup-details.png b/devices/hololens/images/developer-setup-details.png index 0a32af7ba7..d445bf5759 100644 Binary files a/devices/hololens/images/developer-setup-details.png and b/devices/hololens/images/developer-setup-details.png differ diff --git a/devices/hololens/images/developer-setup.png b/devices/hololens/images/developer-setup.png index 826fda5f25..a7e49873b0 100644 Binary files a/devices/hololens/images/developer-setup.png and b/devices/hololens/images/developer-setup.png differ diff --git a/devices/hololens/images/finish.PNG b/devices/hololens/images/finish.PNG index 7c65da1799..975caba764 100644 Binary files a/devices/hololens/images/finish.PNG and b/devices/hololens/images/finish.PNG differ diff --git a/devices/hololens/images/set-up-device-details.PNG b/devices/hololens/images/set-up-device-details.PNG index 85b7dd382e..7325e06e86 100644 Binary files a/devices/hololens/images/set-up-device-details.PNG and b/devices/hololens/images/set-up-device-details.PNG differ diff --git a/devices/hololens/images/set-up-device.PNG b/devices/hololens/images/set-up-device.PNG index 0c9eb0e3ff..577117a26a 100644 Binary files a/devices/hololens/images/set-up-device.PNG and b/devices/hololens/images/set-up-device.PNG differ diff --git a/devices/hololens/images/set-up-network.PNG b/devices/hololens/images/set-up-network.PNG index a0e856c103..19fd3ff7bb 100644 Binary files a/devices/hololens/images/set-up-network.PNG and b/devices/hololens/images/set-up-network.PNG differ diff --git a/devices/hololens/index.md b/devices/hololens/index.md index 2f5741df7e..9b7ed69845 100644 --- a/devices/hololens/index.md +++ b/devices/hololens/index.md @@ -22,9 +22,9 @@ ms.date: 07/27/2018 | Topic | Description | | --- | --- | | [What's new in Microsoft HoloLens](hololens-whats-new.md) | Discover the new features in the latest update. | -[Insider preview for Microsoft HoloLens](hololens-insider.md) | Learn about new HoloLens features available in the latest Insider Preview build. | [HoloLens in the enterprise: requirements](hololens-requirements.md) | Lists requirements for general use, Wi-Fi, and device management | | [Set up HoloLens](hololens-setup.md) | How to set up HoloLens for the first time | +[Install localized version of HoloLens](hololens-install-localized.md) | Install the Chinese or Japanese version of HoloLens | [Unlock Windows Holographic for Business features](hololens-upgrade-enterprise.md) | How to upgrade your Development Edition HoloLens to Windows Holographic for Business | | [Enroll HoloLens in MDM](hololens-enroll-mdm.md) | Manage multiple HoloLens devices simultaneously using solutions like Microsoft Intune | | [Manage updates to HoloLens](hololens-updates.md) | Use mobile device management (MDM) policies to configure settings for updates. | diff --git a/devices/surface-hub/first-run-program-surface-hub.md b/devices/surface-hub/first-run-program-surface-hub.md index 2574c2cbf6..6fcee63f5d 100644 --- a/devices/surface-hub/first-run-program-surface-hub.md +++ b/devices/surface-hub/first-run-program-surface-hub.md @@ -396,7 +396,7 @@ Once the device has been domain joined, you must specify a security group from t The following input is required: - **Domain:** This is the fully qualified domain name (FQDN) of the domain that you want to join. A security group from this domain can be used to manage the device. -- **User name:** The user name of an account that has sufficient permission to join the specified domain. This account must be a computer object. +- **User name:** The user name of an account that has sufficient permission to join the specified domain. - **Password:** The password for the account. After the credentials are verified, you will be asked to type a security group name. This input is required. diff --git a/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md b/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md index babce30d59..cae7e9639e 100644 --- a/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md +++ b/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md @@ -80,7 +80,7 @@ If you have a multi-forest on-premises deployment with Microsoft Exchange 2013 o 6. You now need to change the room mailbox to a linked mailbox: ```PowerShell - $cred=Get-Credential AuthForest\LinkedRoomTest1 + $cred=Get-Credential AuthForest\ADAdmin Set-mailbox -Alias LinkedRoomTest1 -LinkedMasterAccount AuthForest\LinkedRoomTest1 -LinkedDomainController AuthForest-4939.AuthForest.extest.contoso.com -Name LinkedRoomTest1 -LinkedCredential $cred -Identity LinkedRoomTest1 ``` diff --git a/devices/surface/TOC.md b/devices/surface/TOC.md index e68eb9a565..4953d1c2e8 100644 --- a/devices/surface/TOC.md +++ b/devices/surface/TOC.md @@ -14,7 +14,6 @@ ## [Surface firmware and driver updates](update.md) ### [Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md) ### [Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md) -### [Manage Surface Dock firmware updates](manage-surface-dock-firmware-updates.md) ### [Surface Dock Updater](surface-dock-updater.md) ### [Wake On LAN for Surface devices](wake-on-lan-for-surface-devices.md) ## [Considerations for Surface and System Center Configuration Manager](considerations-for-surface-and-system-center-configuration-manager.md) diff --git a/devices/surface/change-history-for-surface.md b/devices/surface/change-history-for-surface.md index 0e0ff5dcc7..3e1f85a04d 100644 --- a/devices/surface/change-history-for-surface.md +++ b/devices/surface/change-history-for-surface.md @@ -7,13 +7,19 @@ ms.sitesec: library author: jdeckerms ms.author: jdecker ms.topic: article -ms.date: 10/15/2018 +ms.date: 11/15/2018 --- # Change history for Surface documentation This topic lists new and updated topics in the Surface documentation library. +## November 2018 + +New or changed topic | Description +--- | --- +|[Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md) | Added Surface Pro 6 | + ## October 2018 New or changed topic | Description diff --git a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md index 116df9446d..84f48dfd07 100644 --- a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md +++ b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md @@ -9,7 +9,7 @@ ms.mktglfcycl: deploy ms.pagetype: surface, devices ms.sitesec: library author: brecords -ms.date: 10/15/2018 +ms.date: 11/15/2018 ms.author: jdecker ms.topic: article --- @@ -67,8 +67,15 @@ Download the following updates for [Surface Pro (Model 1796) from the Microsoft Download the following updates for [Surface Pro with LTE Advanced from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=56278). + * SurfacePro_LTE_Win10_xxxxx_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10 +## Surface Pro 6 + +Download the following updates for [Surface Pro 6 from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=57514). + +* SurfacePro6_Win10_17134_xxxxx_xxxxxx.msi + ## Surface Studio diff --git a/devices/surface/manage-surface-dock-firmware-updates.md b/devices/surface/manage-surface-dock-firmware-updates.md deleted file mode 100644 index 45bf61629f..0000000000 --- a/devices/surface/manage-surface-dock-firmware-updates.md +++ /dev/null @@ -1,124 +0,0 @@ ---- -title: Manage Surface Dock firmware updates (Surface) -description: Read about the different methods you can use to manage the process of Surface Dock firmware updates. -ms.assetid: 86DFC0C0-C842-4CD1-A2D7-4425471FFE3F -ms.localizationpriority: medium -keywords: firmware, update, install, drivers -ms.prod: w10 -ms.mktglfcycl: manage -ms.pagetype: surface, devices -ms.sitesec: library -author: jobotto -ms.author: jdecker -ms.topic: article -ms.date: 07/27/2017 ---- - -# Manage Surface Dock firmware updates - - -Read about the different methods you can use to manage the process of Surface Dock firmware updates. - -The Surface Dock provides external connectivity to Surface devices through a single cable connection that includes Power, Ethernet, Audio, USB 3.0, and DisplayPort. The numerous connections provided by the Surface Dock are enabled by a smart chipset within the Surface Dock device. Like a Surface device’s chipset, the chipset that is built into the Surface Dock is controlled by firmware. For more information about the Surface Dock, see the [Surface Dock demonstration](https://technet.microsoft.com/mt697552) video. - -Like the firmware for Surface devices, firmware for Surface Dock is also contained within a downloaded driver that is visible in Device Manager. This driver stages the firmware update files on the Surface device. When a Surface Dock is connected and the driver is loaded, the newer version of the firmware staged by the driver is detected and firmware files are copied to the Surface Dock. The Surface Dock then begins a two-phase process to apply the firmware internally. Each phase requires the Surface Dock to be disconnected from the Surface device before the firmware is applied. The driver copies the firmware into the dock, but only applies it when the user disconnects the Surface device from the Surface Dock. This ensures that there are no disruptions because the firmware is only applied when the user leaves their desk with the device. - - ->[!NOTE] ->You can learn more about the firmware update process for Surface devices and how firmware is updated through driver installation at the following links: ->- [How to manage and update Surface drivers and firmware](https://technet.microsoft.com/mt697551) from Microsoft Mechanics ->- [Windows Update Makes Surface Better](https://go.microsoft.com/fwlink/p/?LinkId=785354) on the Microsoft Devices Blog - - -  - -The Surface Dock firmware update process shown in Figure 1 follows these steps: - -1. Drivers for Surface Dock are installed on Surface devices that are connected, or have been previously connected, to a Surface Dock. - -2. The drivers for Surface Dock are loaded when a Surface Dock is connected to the Surface device. - -3. The firmware version installed in the Surface Dock is compared with the firmware version staged by the Surface Dock driver. - -4. If the firmware version on the Surface Dock is older than the firmware version contained in the Surface Dock driver, the main chipset firmware update files are copied from the driver to the Surface Dock. - -5. When the Surface Dock is disconnected, the Surface Dock installs the firmware update to the main chipset. - -6. When the Surface Dock is connected again, the main chipset firmware is verified against the firmware present in the Surface Dock driver. - -7. If the firmware update for the main chipset is installed successfully, the Surface Dock driver copies the firmware update for the DisplayPort. - -8. When the Surface Dock is disconnected for a second time, the Surface dock installs the firmware update to the DisplayPort chipset. This process takes up to 3 minutes to apply. - -![Surface Dock firmware update process](images/manage-surface-dock-fig1-updateprocess.png "Surface Dock firmware update process") - -*1- Driver installation can be performed by Windows Update, manual installation, or automatically downloaded with Microsoft Surface Dock Updater* - -*2 - The Surface Dock firmware installation process takes approximately 3 minutes* - -Figure 1. The Surface Dock firmware update process - -If the firmware installation process is interrupted (for example, if power is disconnected from the Surface Dock during firmware installation), the Surface Dock will automatically revert to the prior firmware without disruption to the user, and the update process will restart the next time the Surface Dock is disconnected. For most users this update process should be entirely transparent. - -## Methods for updating Surface Dock firmware - - -There are three methods you can use to update the firmware of the Surface Dock: - -- [Automatic installation of drivers with Windows Update](#automatic-installation) - -- [Deployment of drivers downloaded from the Microsoft Download Center](#deployment-dlc) - -- [Manually update with Microsoft Surface Dock Updater](#manual-updater) - -## Automatic installation with Windows Update - - -Windows Update is the method that most users will use. The drivers for the Surface Dock are downloaded automatically from Windows Update and the dock update process is initiated without additional user interaction. The two-phase dock update process described earlier occurs in the background as the user connects and disconnects the Surface Dock during normal use. - ->[!NOTE] ->The driver version that is displayed in Device Manager may be different from the firmware version that the Surface Dock is using. - -  - -## Deployment of drivers downloaded from the Microsoft Download Center - - -This method is used mostly in environments where Surface device drivers and firmware are managed separately from Windows Update. See [Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md) for more information about the different methods to manage Surface device driver and firmware updates. Updating the Surface Dock firmware through this method involves downloading and deploying an MSI package to the Surface device that contains the updated Surface Dock drivers and firmware. This is the same method recommended for updating all other Surface drivers and firmware. The two-phase firmware update process occurs in the background each time the Surface Dock is disconnected, just like it does with the Windows Update method. - -For more information about how to deploy MSI packages see [Create and deploy an application with System Center Configuration Manager](https://docs.microsoft.com/sccm/apps/get-started/create-and-deploy-an-application). - ->[!NOTE] ->When drivers are installed through Windows Update or the MSI package, registry keys are added that indicate the version of firmware installed on the Surface Dock and contained within the Surface Dock driver. These registry keys can be found in: -> **HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\WUDF\\Services\\SurfaceDockFwUpdate\\Parameters** - -Firmware status is displayed for both the main chipset (displayed as **Component10**) and the DisplayPort chipset (displayed as **Component20**). For each chipset there are four keys, where *xx* is **10** or **20** corresponding to each chipset: - -- **Component*xx*CurrentFwVersion** – This key displays the version of firmware that is installed on the currently connected or most recently connected Surface Dock. - -- **Component*xx*OfferFwVersion** – This key displays the version of firmware staged by the Surface Dock driver. - -- **Component*xx*FirmwareUpdateStatus** – This key displays the stage of the Surface Dock firmware update process. - -- **Component*xx*FirmwareUpdateStatusRejectReason** – This key changes as the firmware update is processed. It should result in 0 after the successful installation of Surface Dock firmware. - ->[!NOTE] ->These registry keys are not present unless you have installed updated Surface Dock drivers through Windows Update or MSI deployment. - -  - -## Manually update with Microsoft Surface Dock Updater - - -The manual method using the Microsoft Surface Dock Updater tool to update the Surface Dock is used mostly in environments where IT prepares Surface Docks prior to delivery to the end user, or for troubleshooting of a Surface Dock. Microsoft Surface Dock Updater is a tool that you can run from any Surface device that is compatible with the Surface Dock, and will walk you through the process of performing the Surface Dock firmware update in the least possible amount of time. You can also use this tool to verify the firmware status of a connected Surface Dock. - -For more information about how to use the Microsoft Surface Dock Updater tool, please see [Microsoft Surface Dock Updater](surface-dock-updater.md). You can download the Microsoft Surface Dock Updater tool from the [Surface Tools for IT page](https://www.microsoft.com/download/details.aspx?id=46703) on the Microsoft Download Center. - -  - -  - - - - - diff --git a/devices/surface/surface-dock-updater.md b/devices/surface/surface-dock-updater.md index 925b058eb0..9c644b79eb 100644 --- a/devices/surface/surface-dock-updater.md +++ b/devices/surface/surface-dock-updater.md @@ -112,7 +112,7 @@ Microsoft Surface Dock Updater logs its progress into the Event Log, as shown in ## Changes and updates -Microsoft periodically updates Surface Dock Updater. To learn more about the application of firmware by Surface Dock Updater, see [Manage Surface Dock firmware updates](https://technet.microsoft.com/itpro/surface/manage-surface-dock-firmware-updates). +Microsoft periodically updates Surface Dock Updater. >[!Note] >Each update to Surface Dock firmware is included in a new version of Surface Dock Updater. To update a Surface Dock to the latest firmware, you must use the latest version of Surface Dock Updater. @@ -191,7 +191,7 @@ This version of Surface Dock Updater adds support for the following: * Update for Surface Dock DisplayPort firmware -## Related topics + -[Manage Surface Dock firmware updates](manage-surface-dock-firmware-updates.md) + diff --git a/devices/surface/update.md b/devices/surface/update.md index 29e0b9517b..df7a6e3c5d 100644 --- a/devices/surface/update.md +++ b/devices/surface/update.md @@ -8,7 +8,7 @@ ms.sitesec: library author: heatherpoulsen ms.author: jdecker ms.topic: article -ms.date: 12/01/2016 +ms.date: 11/13/2018 --- # Surface firmware and driver updates @@ -22,7 +22,6 @@ Find out how to download and manage the latest firmware and driver updates for y |[Wake On LAN for Surface devices](wake-on-lan-for-surface-devices.md) | See how you can use Wake On LAN to remotely wake up devices to perform management or maintenance tasks, or to enable management solutions automatically. | | [Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)| Get a list of the available downloads for Surface devices and links to download the drivers and firmware for your device.| | [Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md)| Explore the available options to manage firmware and driver updates for Surface devices.| -| [Manage Surface Dock firmware updates](manage-surface-dock-firmware-updates.md)| Read about the different methods you can use to manage the process of Surface Dock firmware updates.| | [Surface Dock Updater](surface-dock-updater.md)| Get a detailed walkthrough of Microsoft Surface Dock Updater.|   diff --git a/education/index.md b/education/index.md index 801709b5ce..d18be0b253 100644 --- a/education/index.md +++ b/education/index.md @@ -25,7 +25,7 @@ ms.date: 10/30/2017

  • - +
    @@ -44,7 +44,7 @@ ms.date: 10/30/2017
  • - +
    diff --git a/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md b/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md index ceacdbb6dc..2473c384ee 100644 --- a/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md +++ b/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md @@ -56,7 +56,7 @@ Use the following table to get information about supported versions of Office an -

    [Planning for Using App-V with coexsiting versions of Office](planning-for-using-app-v-with-office.md#bkmk-plan-coexisting)

    +

    [Planning for Using App-V with coexisting versions of Office](planning-for-using-app-v-with-office.md#bkmk-plan-coexisting)

    Considerations for installing different versions of Office on the same computer

    diff --git a/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v51.md b/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v51.md index d2b4fb5e5e..3cf91ddf99 100644 --- a/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v51.md +++ b/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v51.md @@ -56,7 +56,7 @@ Use the following table to get information about supported versions of Office an -

    [Planning for Using App-V with coexsiting versions of Office](planning-for-using-app-v-with-office.md#bkmk-plan-coexisting)

    +

    [Planning for Using App-V with coexisting versions of Office](planning-for-using-app-v-with-office.md#bkmk-plan-coexisting)

    Considerations for installing different versions of Office on the same computer

    diff --git a/mdop/appv-v5/how-to-deploy-the-app-v-client-gb18030.md b/mdop/appv-v5/how-to-deploy-the-app-v-client-gb18030.md index 5142ecf01f..143ee0777c 100644 --- a/mdop/appv-v5/how-to-deploy-the-app-v-client-gb18030.md +++ b/mdop/appv-v5/how-to-deploy-the-app-v-client-gb18030.md @@ -1,13 +1,14 @@ --- title: How to Deploy the App-V Client description: How to Deploy the App-V Client +ms.author: pashort author: jamiejdt ms.assetid: 9c4e67ae-ddaf-4e23-8c16-72d029a74a27 ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 -ms.date: 11/01/2016 +ms.date: 11/05/2018 --- @@ -18,341 +19,137 @@ Use the following procedure to install the Microsoft Application Virtualization     **What to do before you start** -1. Review and install the software prerequisites: +1. Review and install the software prerequisites: - Install the prerequisite software that corresponds to the version of App-V that you are installing: + Install the prerequisite software that corresponds to the version of App-V that you are installing: - - [About App-V 5.0 SP3](about-app-v-50-sp3.md) + - [About App-V 5.0 SP3](about-app-v-50-sp3.md) - - App-V 5.0 SP1 and App-V 5.0 SP2 – no new prerequisites in these versions + - App-V 5.0 SP1 and App-V 5.0 SP2 – no new prerequisites in these versions - - [App-V 5.0 Prerequisites](app-v-50-prerequisites.md) + - [App-V 5.0 Prerequisites](app-v-50-prerequisites.md) -2. Review the client coexistence and unsupported scenarios, as applicable to your installation: +2. Review the client coexistence and unsupported scenarios, as applicable to your installation: - - - - - - - - - - - - - - - -

    Deploying coexisting App-V clients

    [Planning for the App-V 5.0 Sequencer and Client Deployment](planning-for-the-app-v-50-sequencer-and-client-deployment.md)

    Unsupported or limited installation scenarios

    See the client section in [App-V 5.0 Supported Configurations](app-v-50-supported-configurations.md)

    + | | | + |---|---| + |Deploying coexisting App-V clients |[Planning for the App-V 5.0 Sequencer and Client Deployment](planning-for-the-app-v-50-sequencer-and-client-deployment.md) | + |Unsupported or limited installation scenarios |[App-V 5.0 Supported Configurations](app-v-50-supported-configurations.md) | + --- +   +3. Review the locations for client registry, log, and troubleshooting information: -   - -3. Review the locations for client registry, log, and troubleshooting information: - - ---- - - - - - - - - - - - - - - -

    Client registry information

      -

    • By default, after you install the App-V 5.0 client, the client information is stored in the registry in the following registry key:

      -

      HKEY_LOCAL_MACHINE \ SOFTWARE \ MICROSOFT \ APPV \ CLIENT

      • -

    • When you deploy a virtualized package to a computer that is running the App-V client, the associated package data is stored in the following location:

      -

      C: \ ProgramData \ App-V

      -

      However, you can reconfigure this location with the following registry key:

      -

      HKEY_LOCAL_MACHINE \ SOFTWARE \ MICROSOFT \ SOFTWARE \ MICROSOFT \ APPV \ CLIENT \ STREAMING \ PACKAGEINSTALLATIONROOT

      • -

    Client log files

      -

    • For log file information that is associated with the App-V 5.0 Client, search in the following log:

      -

      Event logs / Applications and Services Logs / Microsoft / AppV

      • -

    • In App-V 5.0 SP3, some logs have been consolidated and moved to the following location:

      -

      Event logs/Applications and Services Logs/Microsoft/AppV/ServiceLog

      -

      For a list of the moved logs, see [About App-V 5.0 SP3](about-app-v-50-sp3.md#bkmk-event-logs-moved).

      • -

    • Packages that are currently stored on computers that run the App-V 5.0 Client are saved to the following location:

      -

      C:\ProgramData\App-V\<package id>\<version id>

      • -

    Client installation troubleshooting information

    See the error log in the %temp% folder. To review the log files, click Start, type %temp%, and then look for the appv_ log.

    - -  + | | | + |---|---| + |Client registry information |
    • By default, after you install the App-V 5.0 client, the client information is stored in the registry in the following registry key:

      HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\APPV\CLIENT

    • When you deploy a virtualized package to a computer that is running the App-V client, the associated package data is stored in the following location:

      C:\ProgramData\App-V

      However, you can reconfigure this location with the following registry key:

      HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\SOFTWARE\MICROSOFT\APPV\CLIENT\STREAMING\PACKAGEINSTALLATIONROOT

    | + |Client log files |
    • For log file information that is associated with the App-V 5.0 Client, search in the following log:

      Event logs/Applications and Services Logs/Microsoft/AppV

    • In App-V 5.0 SP3, some logs have been consolidated and moved to the following location:

      Event logs/Applications and Services Logs/Microsoft/AppV/ServiceLog

      For a list of the moved logs, see [About App-V 5.0 SP3](about-app-v-50-sp3.md#bkmk-event-logs-moved).

    • Packages that are currently stored on computers that run the App-V 5.0 Client are saved to the following location:

      C:\ProgramData\App-V\<_package id_>\<_version id_>

    | + |Client installation troubleshooting information |See the error log in the **%temp%** folder. To review the log files, click **Start**, type **%temp%**, and then look for the **appv_ log**. | + --- + **To install the App-V 5.0 Client** -1. Copy the App-V 5.0 client installation file to the computer on which it will be installed. Choose from the following client types: +1. Copy the App-V 5.0 client installation file to the computer on which it will be installed.

    Choose from the following client types: - - - - - - - - - - - - - - - - - - - - - -
    Client typeFile to use

    Standard version of the client

    appv_client_setup.exe

    Remote Desktop Services version of the client

    appv_client_setup_rds.exe

    + |Client type |File to use | + |---|---| + |Standard version of the client |**appv_client_setup.exe** | + |Remote Desktop Services version of the client |**appv_client_setup_rds.exe** | + --- -   +2. Double-click the installation file, and click **Install**. Before the installation begins, the installer checks the computer for any missing [App-V 5.0 Prerequisites](app-v-50-prerequisites.md). -2. Double-click the installation file, and click **Install**. Before the installation begins, the installer checks the computer for any missing [App-V 5.0 Prerequisites](app-v-50-prerequisites.md). +3. Review and accept the Software License Terms, choose whether to use Microsoft Update and whether to participate in the Microsoft Customer Experience Improvement Program, and click **Install**. -3. Review and accept the Software License Terms, choose whether to use Microsoft Update and whether to participate in the Microsoft Customer Experience Improvement Program, and click **Install**. +4. On the **Setup completed successfully** page, click **Close**. -4. On the **Setup completed successfully** page, click **Close**. + The installation creates the following entries for the App-V client in **Programs**: - The installation creates the following entries for the App-V client in **Programs**: + - **.exe** - - **.exe** + - **.msi** - - **.msi** + - **language pack** + + >[!NOTE] + >After the installation, only the .exe file can be uninstalled. - - **language pack** - - **Note**   - After the installation, only the .exe file can be uninstalled. - -   **To install the App-V 5.0 client using a script** -1. Install all of the required prerequisite software on the target computers. See [What to do before you start](#bkmk-clt-install-prereqs). If you install the client by using an .msi file, the installation will fail if any prerequisites are missing. +1. Install all of the required prerequisite software on the target computers. See [What to do before you start](#bkmk-clt-install-prereqs). If you install the client by using an .msi file, the installation will fail if any prerequisites are missing. -2. To use a script to install the App-V 5.0 client, use the following parameters with **appv\_client\_setup.exe**. +2. To use a script to install the App-V 5.0 client, use the following parameters with **appv\_client\_setup.exe**. - **Note**   - The client Windows Installer (.msi) supports the same set of switches, except for the **/LOG** parameter. + >[!NOTE] + >The client Windows Installer (.msi) supports the same set of switches, except for the **/LOG** parameter. -   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    /INSTALLDIR

    Specifies the installation directory. Example usage: /INSTALLDIR=C:\Program Files\AppV Client

    /CEIPOPTIN

    Enables participation in the Customer Experience Improvement Program. Example usage: /CEIPOPTIN=[0|1]

    /MUOPTIN

    Enables Microsoft Update. Example usage: /MUOPTIN=[0|1]

    /PACKAGEINSTALLATIONROOT

    Specifies the directory in which to install all new applications and updates. Example usage: /PACKAGEINSTALLATIONROOT='C:\App-V Packages'

    /PACKAGESOURCEROOT

    Overrides the source location for downloading package content. Example usage: /PACKAGESOURCEROOT='http://packageStore'

    /AUTOLOAD

    Specifies how new packages will be loaded by App-V 5.0 on a specific computer. The following options are enabled: [1]; automatically load all packages [2]; or automatically load no packages [0].Example usage: /AUTOLOAD=[0|1|2]

    /SHAREDCONTENTSTOREMODE

    Specifies that streamed package contents will be not be saved to the local hard disk. Example usage: /SHAREDCONTENTSTOREMODE=[0|1]

    /MIGRATIONMODE

    Allows the App-V 5.0 client to modify the shortcuts and FTAs that are associated with the packages that are created with a previous version. Example usage: /MIGRATIONMODE=[0|1]

    /ENABLEPACKAGESCRIPTS

    Enables the scripts that are defined in the package manifest file or configuration files that should run. Example usage: /ENABLEPACKAGESCRIPTS=[0|1]

    /ROAMINGREGISTRYEXCLUSIONS

    Specifies the registry paths that will not roam with a user profile. Example usage: /ROAMINGREGISTRYEXCLUSIONS=software\classes;software\clients

    /ROAMINGFILEEXCLUSIONS

    Specifies the file paths relative to %userprofile% that do not roam with a user's profile. Example usage: /ROAMINGFILEEXCLUSIONS 'desktop;my pictures'

    /S[1-5]PUBLISHINGSERVERNAME

    Displays the name of the publishing server. Example usage: /S2PUBLISHINGSERVERNAME=MyPublishingServer

    /S[1-5]PUBLISHINGSERVERURL

    Displays the URL of the publishing server. Example usage: /S2PUBLISHINGSERVERURL=\\pubserver

    /S[1-5]GLOBALREFRESHENABLED -

    Enables a global publishing refresh. Example usage: /S2GLOBALREFRESHENABLED=[0|1]

    /S[1-5]GLOBALREFRESHONLOGON

    Initiates a global publishing refresh when a user logs on. Example usage: /S2LOGONREFRESH=[0|1]

    /S[1-5]GLOBALREFRESHINTERVAL -

    Specifies the publishing refresh interval, where 0 indicates do not periodically refresh. Example usage: /S2PERIODICREFRESHINTERVAL=[0-744]

    /S[1-5]GLOBALREFRESHINTERVALUNIT

    Specifies the interval unit (Hours[0], Days[1]). Example usage: /S2GLOBALREFRESHINTERVALUNIT=[0|1]

    /S[1-5]USERREFRESHENABLED

    Enables user publishing refresh. Example usage: /S2USERREFRESHENABLED=[0|1]

    /S[1-5]USERREFRESHONLOGON

    Initiates a user publishing refresh when a user logs on. Example usage: /S2LOGONREFRESH=[0|1]

    /S[1-5]USERREFRESHINTERVAL -

    Specifies the publishing refresh interval, where 0 indicates do not periodically refresh. Example usage: /S2PERIODICREFRESHINTERVAL=[0-744]

    /S[1-5]USERREFRESHINTERVALUNIT

    Specifies the interval unit (Hours[0], Days[1]). Example usage: /S2USERREFRESHINTERVALUNIT=[0|1]

    /Log

    Specifies a location where the log information is saved. The default location is %Temp%. Example usage: /log C:\logs\log.log

    /q

    Specifies an unattended installation.

    /REPAIR

    Repairs a previous client installation.

    /NORESTART

    Prevents the computer from rebooting after the client installation.

    -

    The parameter prevents the end-user computer from rebooting after each update is installed and lets you schedule the reboot at your convenience. For example, you can install App-V 5.0 SPX and then install Hotfix Package Y without rebooting after the Service Pack installation. After the installation, you must reboot before you start using App-V.

    /UNINSTALL

    Uninstalls the client.

    /ACCEPTEULA

    Accepts the license agreement. This is required for an unattended installation. Example usage: /ACCEPTEULA or /ACCEPTEULA=1.

    /LAYOUT

    Specifies the associated layout action. It also extracts the Windows Installer (.msi) and script files to a folder without installing App-V 5.0. No value is expected.

    /LAYOUTDIR

    Specifies the layout directory. Requires a string value. Example usage: /LAYOUTDIR=”C:\Application Virtualization Client”.

    /?, /h, /help

    Requests help about the previous installation parameters.

    - -   + | | | + |---|---| + |/INSTALLDIR |Specifies the installation directory. Example usage:

    **/INSTALLDIR=C:\Program Files\AppV Client** | + |/CEIPOPTIN |Enables participation in the Customer Experience Improvement Program. Example usage:

    **/CEIPOPTIN=[0\|1\]** | + |/MUOPTIN |Enables Microsoft Update. Example usage:

    **/MUOPTIN=[0\|1\]** | + |/PACKAGEINSTALLATIONROOT |Specifies the directory in which to install all new applications and updates. Example usage:

    **/PACKAGEINSTALLATIONROOT='C:\App-V Packages'** | + |/PACKAGESOURCEROOT |Overrides the source location for downloading package content. Example usage:

    **/PACKAGESOURCEROOT='http://packageStore'** | + |/AUTOLOAD |Specifies how new packages will be loaded by App-V 5.0 on a specific computer. The following options are enabled: [1]; automatically load all packages [2]; or automatically load no packages [0]. Example usage:

    **/AUTOLOAD=[0\|1\|2\]** | + |/SHAREDCONTENTSTOREMODE |Specifies that streamed package contents will be not be saved to the local hard disk. Example usage:

    **/SHAREDCONTENTSTOREMODE=[0\|1\]** | + |/MIGRATIONMODE |Allows the App-V 5.0 client to modify the shortcuts and FTAs that are associated with the packages that are created with a previous version. Example usage:

    **/MIGRATIONMODE=[0\|1\]** | + |/ENABLEPACKAGESCRIPTS |Enables the scripts that are defined in the package manifest file or configuration files that should run. Example usage:

    **/ENABLEPACKAGESCRIPTS=[0\|1\]** | + |/ROAMINGREGISTRYEXCLUSIONS |Specifies the registry paths that will not roam with a user profile. Example usage:

    **/ROAMINGREGISTRYEXCLUSIONS=software\classes;software\clients** | + |/ROAMINGFILEEXCLUSIONS |Specifies the file paths relative to %userprofile% that do not roam with a user's profile. Example usage:

    **/ROAMINGFILEEXCLUSIONS 'desktop;my pictures'** | + |/S[1-5]PUBLISHINGSERVERNAME |Displays the name of the publishing server. Example usage:

    **/S2PUBLISHINGSERVERNAME=MyPublishingServer** | + |/S[1-5]PUBLISHINGSERVERURL |Displays the URL of the publishing server. Example usage:

    **/S2PUBLISHINGSERVERURL=\\pubserver** | + |/S[1-5]GLOBALREFRESHENABLED|Enables a global publishing refresh. Example usage:

    **/S2GLOBALREFRESHENABLED=[0\|1\]** | + |/S[1-5]GLOBALREFRESHONLOGON |Initiates a global publishing refresh when a user logs on. Example usage:

    **/S2LOGONREFRESH=[0\|1\]** | + |/S[1-5]GLOBALREFRESHINTERVAL |Specifies the publishing refresh interval, where **0** indicates do not periodically refresh. Example usage: **/S2PERIODICREFRESHINTERVAL=[0-744]** | + |/S[1-5]GLOBALREFRESHINTERVALUNIT |Specifies the interval unit (Hours[0], Days[1]). Example usage:

    **/S2GLOBALREFRESHINTERVALUNIT=[0\|1\]** | + |/S[1-5]USERREFRESHENABLED |Enables user publishing refresh. Example usage: **/S2USERREFRESHENABLED=[0\|1\]** | + |/S[1-5]USERREFRESHONLOGON |Initiates a user publishing refresh when a user logs on. Example usage:

    **/S2LOGONREFRESH=[0\|1\]** | + |/S[1-5]USERREFRESHINTERVAL |Specifies the publishing refresh interval, where **0** indicates do not periodically refresh. Example usage: **/S2PERIODICREFRESHINTERVAL=[0-744]** | + |/S[1-5]USERREFRESHINTERVALUNIT |Specifies the interval unit (Hours[0], Days[1]). Example usage:

    **/S2USERREFRESHINTERVALUNIT=[0\|1\]** | + |/Log |Specifies a location where the log information is saved. The default location is %Temp%. Example usage:

    **/log C:\logs\log.log** | + |/q |Specifies an unattended installation. | + |/REPAIR |Repairs a previous client installation. | + |/NORESTART |Prevents the computer from rebooting after the client installation.

    The parameter prevents the end-user computer from rebooting after each update is installed and lets you schedule the reboot at your convenience. For example, you can install App-V 5.0 SPX and then install Hotfix Package Y without rebooting after the Service Pack installation. After the installation, you must reboot before you start using App-V. | + |/UNINSTALL |Uninstalls the client. | + |/ACCEPTEULA |Accepts the license agreement. This is required for an unattended installation. Example usage:

    **/ACCEPTEULA** or **/ACCEPTEULA=1** | + |/LAYOUT |Specifies the associated layout action. It also extracts the Windows Installer (.msi) and script files to a folder without installing App-V 5.0. No value is expected. | + |/LAYOUTDIR |Specifies the layout directory. Requires a string value. Example usage:

    **/LAYOUTDIR=”C:\Application Virtualization Client”** | + |/?, /h, /help |Requests help about the previous installation parameters. | + --- **To install the App-V 5.0 client by using the Windows Installer (.msi) file** -1. Install the required prerequisites on the target computers. See [What to do before you start](#bkmk-clt-install-prereqs). If any prerequisites are not met, the installation will fail. +1. Install the required prerequisites on the target computers. See [What to do before you start](#bkmk-clt-install-prereqs). If any prerequisites are not met, the installation will fail. -2. Ensure that the target computers do not have any pending restarts before you install the client using the App-V 5.0 Windows Installer (.msi) files. The Windows Installer files do not flag a pending restart. +2. Ensure that the target computers do not have any pending restarts before you install the client using the App-V 5.0 Windows Installer (.msi) files. The Windows Installer files do not flag a pending restart. -3. Deploy one of the following Windows Installer files to the target computer. The file that you specify must match the configuration of the target computer. +3. Deploy one of the following Windows Installer files to the target computer. The file that you specify must match the configuration of the target computer. - - - - - - - - - - - - - - - - - - - - - - - - - -
    Type of deploymentDeploy this file

    Computer is running a 32-bit Microsoft Windows operating system

    appv_client_MSI_x86.msi

    Computer is running a 64-bit Microsoft Windows operating system

    appv_client_MSI_x64.msi

    You are deploying the App-V 5.0 Remote Desktop Services client

    appv_client_rds_MSI_x64.msi

    + |Type of deployment |Deploy this file | + |---|---| + |Computer is running a 32-bit Microsoft Windows operating system |appv_client_MSI_x86.msi | + |Computer is running a 64-bit Microsoft Windows operating system |appv_client_MSI_x64.msi | + |You are deploying the App-V 5.0 Remote Desktop Services client |appv_client_rds_MSI_x64.msi | + --- +  +4. Using the information in the following table, select the appropriate language pack **.msi** to install, based on the desired language for the target computer. The **xxxx** in the table refers to the target locale of the language pack. -   + **What to know before you start:** -4. Using the information in the following table, select the appropriate language pack **.msi** to install, based on the desired language for the target computer. The **xxxx** in the table refers to the target locale of the language pack. + - The language packs are common to both the standard App-V 5.0 client and the Remote Desktop Services version of the App-V 5.0 client. - **What to know before you start:** + - If you install the App-V 5.0 client using the **.exe**, the installer will deploy only the language pack that matches the operating system running on the target computer. - - The language packs are common to both the standard App-V 5.0 client and the Remote Desktop Services version of the App-V 5.0 client. + - To deploy additional language packs on a target computer, use the procedure **To install the App-V 5.0 client by using Windows Installer (.msi) file**. - - If you install the App-V 5.0 client using the **.exe**, the installer will deploy only the language pack that matches the operating system running on the target computer. - - - To deploy additional language packs on a target computer, use the procedure **To install the App-V 5.0 client by using Windows Installer (.msi) file**. - - - - - - - - - - - - - - - - - - - - - - -
    Type of deploymentDeploy this file

    Computer is running a 32-bit Microsoft Windows operating system

    appv_client_LP_xxxx_ x86.msi

    Computer is running a 64-bit Microsoft Windows operating system

    appv_client_LP_xxxx_ x64.msi

    - -   - - **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issu**e? Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + |Type of deployment |Deploy this file | + |---|---| + |Computer is running a 32-bit Microsoft Windows operating system |appv_client_LP_xxxx_ x86.msi | + |Computer is running a 64-bit Microsoft Windows operating system |appv_client_LP_xxxx_ x64.msi | + --- + + **Got a suggestion for App-V**? Add or vote on [suggestions](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization).

    **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). ## Related topics @@ -362,12 +159,3 @@ Use the following procedure to install the Microsoft Application Virtualization [About Client Configuration Settings](about-client-configuration-settings.md) [How to Uninstall the App-V 5.0 Client](how-to-uninstall-the-app-v-50-client.md) - -  - -  - - - - - diff --git a/mdop/solutions/how-to-download-and-deploy-mdop-group-policy--admx--templates.md b/mdop/solutions/how-to-download-and-deploy-mdop-group-policy--admx--templates.md index b183080d0a..bb717d6751 100644 --- a/mdop/solutions/how-to-download-and-deploy-mdop-group-policy--admx--templates.md +++ b/mdop/solutions/how-to-download-and-deploy-mdop-group-policy--admx--templates.md @@ -22,7 +22,7 @@ You can manage the feature settings of certain Microsoft Desktop Optimization Pa 1. Download the latest [MDOP Group Policy templates](https://www.microsoft.com/en-us/download/details.aspx?id=55531) -2. Run the downloaded file to extract the template folders. +2. Expand the downloaded .cab file by running `expand \MDOP_ADMX_Templates.cab -F:* ` **Warning**   Do not extract the templates directly to the Group Policy deployment directory. Multiple technologies and versions are bundled in this file. diff --git a/smb/cloud-mode-business-setup.md b/smb/cloud-mode-business-setup.md index 393503a4e4..db464151f8 100644 --- a/smb/cloud-mode-business-setup.md +++ b/smb/cloud-mode-business-setup.md @@ -297,7 +297,7 @@ In this part of the walkthrough, we'll be working on the Microsoft Intune management portal, select **Admin**. -2. In the **Administration** workspace, click **Mobile Device Management**. If this is the first tiem you're using the portal, click **manage mobile devices** in the **Mobile Device Management** window. The page will refresh and you'll have new options under **Mobile Device Management**. +2. In the **Administration** workspace, click **Mobile Device Management**. If this is the first item you're using the portal, click **manage mobile devices** in the **Mobile Device Management** window. The page will refresh and you'll have new options under **Mobile Device Management**. **Figure 24** - Mobile device management @@ -433,7 +433,7 @@ In the Intune management 2. Log in to the Intune management portal. 3. Select **Groups** and then go to **Devices**. 4. In the **All Devices** page, look at the list of devices and select the entry that matches the name of your PC. - - Check that the device name appears in the list. Select the device and it will also show the user that's currently logged in in the **General Information** section. + - Check that the device name appears in the list. Select the device and it will also show the current logged-in user in the **General Information** section. - Check the **Management Channel** column and confirm that it says **Managed by Microsoft Intune**. - Check the **AAD Registered** column and confirm that it says **Yes**. diff --git a/store-for-business/app-inventory-management-microsoft-store-for-business.md b/store-for-business/app-inventory-management-microsoft-store-for-business.md index 62db55062d..e3c4b43dac 100644 --- a/store-for-business/app-inventory-management-microsoft-store-for-business.md +++ b/store-for-business/app-inventory-management-microsoft-store-for-business.md @@ -9,7 +9,7 @@ ms.pagetype: store author: TrudyHa ms.author: TrudyHa ms.topic: conceptual -ms.date: 06/07/2018 +ms.date: 10/23/2018 --- # App inventory management for Microsoft Store for Business and Education @@ -19,7 +19,7 @@ ms.date: 06/07/2018 - Windows 10 - Windows 10 Mobile -You can manage all apps that you've acquired on your **Apps & software** page. This page shows all of the content you've acquired, including apps that from Microsoft Store, and line-of-business (LOB) apps that you've accepted into your inventory. After LOB apps are submitted to your organization, you'll see a notification on your **Apps & software** page. On the **New LOB apps** tab, you can accept, or reject the LOB apps. For more information on LOB apps, see [Working with line-of-business apps](working-with-line-of-business-apps.md). The inventory page includes apps acquired by all people in your organization with the Store for Business Admin role. +You can manage all apps that you've acquired on your **Apps & software** page. This page shows all of the content you've acquired, including apps that from Microsoft Store, and line-of-business (LOB) apps that you've accepted into your inventory. After LOB apps are submitted to your organization, you'll see a notification on your **Apps & software** page. On the **New LOB apps** tab, you can accept, or reject the LOB apps. For more information on LOB apps, see [Working with line-of-business apps](working-with-line-of-business-apps.md). The inventory page includes apps acquired by all people in your organization with the Store for Business Admin role. All of these apps are treated the same once they are in your inventory and you can perform app lifecycle tasks for them: distribute apps, add apps to private store, review license details, and reclaim app licenses. @@ -68,16 +68,26 @@ Each app in the Store for Business has an online, or an offline license. For mor The actions in the table are how you distribute apps, and manage app licenses. We'll cover those in the next sections. Working with offline-licensed apps has different steps. For more information on distributing offline-licensed apps, see [Distribute offline apps](distribute-offline-apps.md). -## Distribute apps +## Assign apps +For online-licensed apps, you can assign apps directly to people in your organization. -For online-licensed apps, there are a couple of ways to distribute apps from your inventory: -- Assign apps to people in your organization. -- Add apps to your private store, and let people in your organization install the app. +**To assign an app to an employee** -If you use a management tool that supports Microsoft Store, you can distribute apps with your management tool. Once it is configured to work with Store for Business, your managment tool will have access to all apps in your inventory. For more information, see [Distribute apps with a management tool](distribute-apps-with-management-tool.md). +1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://businessstore.microsoft.com). +2. Click **Manage**, and then choose **Inventory**. +3. Find an app, click the ellipses, and then choose **Assign to people**. +4. Type the email address for the employee that you're assigning the app to, and click **Confirm**. +Employees will receive an email with a link that will install the app on their device. Click the link to start the Microsoft Store app, and then click **Install**. Also, in the Microsoft Store app, they can find the app under **My Library**. + +There are other options for distributing apps: +- **Use a management tool** - If you use a management tool that supports Microsoft Store, you can distribute apps with your management tool. Once it is configured to work with Store for Business, your managment tool will have access to all apps in your inventory. For more information, see [Distribute apps with a management tool](distribute-apps-with-management-tool.md). +- **Distribute from private store** - You can also add apps to your private store, and let people get them on their own. For more information, see [Distribute apps from private store](#distribute-apps-from-private-store) + +## Distribute apps from private store Once an app is in your private store, people in your org can install the app on their devices. For more information, see [Distribute apps using your private store](distribute-apps-from-your-private-store.md). +### Add apps to your private store **To make an app in Apps & software available in your private store** 1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://businessstore.microsoft.com). @@ -88,6 +98,7 @@ Once an app is in your private store, people in your org can install the app on The value under **Private store** for the app will change to pending. It will take approximately thirty-six hours before the app is available in the private store. Employees can claim apps that admins added to the private store by doing the following. +### Get and remove private store apps **To claim an app from the private store** 1. Sign in to your computer with your Azure Active Directory (AD) credentials, and start the Microsoft Store app. @@ -107,14 +118,20 @@ If you decide that you don't want an app available for employees to install on t The app will still be in your inventory, but your employees will not have access to the app from your private store. -**To assign an app to an employee** +### Private store availability +On the details page for each app, you can directly assign an app to a user, or for apps in your private store, you can set **Private store availability**. -1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://businessstore.microsoft.com). -2. Click **Manage**, and then choose **Inventory**. -3. Find an app, click the ellipses, and then choose **Assign to people**. -4. Type the email address for the employee that you're assigning the app to, and click **Confirm**. +**Private store availability** allows you to choose which groups of people can see an app in the private store: +- No one - The app isn't in your private store +- Everyone - The app is available to anyone in your organization +- Specific groups - The app is available to all users in assigned security groups -Employees will receive an email with a link that will install the app on their device. Click the link to start the Microsoft Store app, and then click **Install**. Also, in the Microsoft Store app, they can find the app under **My Library**. +**To assign security groups to an app** +1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://businessstore.microsoft.com). +2. Click **Manage**, and then choose **Products & services**. +3. Find an app, choose the ellipses, and then choose **View license details**. +4. Click **Private store availability**, select **Specific groups**, and then click **Assign groups**. +5. Enter a name or email address for the security group you want to use, and then click **Add groups**. ## Manage app licenses @@ -123,9 +140,9 @@ For each app in your inventory, you can view and manage license details. This gi **To view license details** 1. Sign in to [Microsoft Store for Business](https://go.microsoft.com/fwlink/p/?LinkId=691845) or [Microsoft Store for Education](https://businessstore.microsoft.com). -2. Click **Manage**, and then choose **Apps & software**. +2. Click **Manage**, and then choose **Products & services**. 3. Click an app you want to manage. -4. On the app page, you'll see the names of people in your organization who have installed the app and are using one of the licenses. From here, you can: +4. On the app details page, you'll see the names of people in your organization who have installed the app and are using one of the licenses. From here, you can: - Assign the app to other people in your organization. - Reclaim app licenses. diff --git a/store-for-business/distribute-apps-from-your-private-store.md b/store-for-business/distribute-apps-from-your-private-store.md index 1806050398..e83245f0e8 100644 --- a/store-for-business/distribute-apps-from-your-private-store.md +++ b/store-for-business/distribute-apps-from-your-private-store.md @@ -10,12 +10,11 @@ author: TrudyHa ms.author: TrudyHa ms.topic: conceptual ms.localizationpriority: medium -ms.date: 3/19/2018 +ms.date: 10/31/2018 --- # Distribute apps using your private store - **Applies to** - Windows 10 @@ -33,12 +32,12 @@ You can make an app available in your private store when you acquire the app, or -Microsoft Store adds the app to **Apps & software**. Click **Manage**, **Apps & software** for app distribution options. +Microsoft Store adds the app to **Products and services**. Click **Manage**, **Apps & software** for app distribution options. **To make an app in Apps & software available in your private store** 1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com). -2. Click **Manage**, and then choose **Apps & software**. +2. Click **Manage**, and then choose **Products and services**. @@ -52,6 +51,9 @@ The value under **Private store** for the app will change to pending. It will ta >[!Note] > If you are working with a new Line-of-Business (LOB) app, you have to wait for the app to be avilable in **Products & services** before adding it to your private store. For more information, see [Working with line of business apps](working-with-line-of-business-apps.md). +## Private store availability +You can use security groups to scope which users can install an app from your private store. For more information, see [Private store availability](app-inventory-management-microsoft-store-for-business.md#private-store-availability). + Employees can claim apps that admins added to the private store by doing the following. **To claim an app from the private store** @@ -60,16 +62,8 @@ Employees can claim apps that admins added to the private store by doing the fol 2. Click the **private store** tab. 3. Click the app you want to install, and then click **Install**. + ## Related topics - [Manage access to private store](manage-access-to-private-store.md) - [Manage private store settings](manage-private-store-settings.md) -- [Configure access to Microsoft Store](/windows/configuration/stop-employees-from-using-microsoft-store) - -  - -  - - - - - +- [Configure access to Microsoft Store](/windows/configuration/stop-employees-from-using-microsoft-store) \ No newline at end of file diff --git a/store-for-business/images/security-groups-icon.png b/store-for-business/images/security-groups-icon.png new file mode 100644 index 0000000000..328a60837d Binary files /dev/null and b/store-for-business/images/security-groups-icon.png differ diff --git a/store-for-business/release-history-microsoft-store-business-education.md b/store-for-business/release-history-microsoft-store-business-education.md index 43b5a93ec5..0b88f3f051 100644 --- a/store-for-business/release-history-microsoft-store-business-education.md +++ b/store-for-business/release-history-microsoft-store-business-education.md @@ -8,7 +8,7 @@ ms.pagetype: store author: TrudyHa ms.author: TrudyHa ms.topic: conceptual -ms.date: 09/27/2018 +ms.date: 10/31/2018 --- # Microsoft Store for Business and Education release history @@ -17,6 +17,9 @@ Microsoft Store for Business and Education regularly releases new and improved f Looking for info on the latest release? Check out [What's new in Microsoft Store for Business and Education](whats-new-microsoft-store-business-education.md) +## September 2018 +- **Performance improvements** - With updates and improvements in the private store, most changes, like adding an app, will take fifteen minutes or less. [Get more info](https://https://docs.microsoft.com/microsoft-store/manage-private-store-settings#private-store-performance) + ## August 2018 - **App requests** - People in your organization can make requests for apps that they need. hey can also request them on behalf of other people. Admins review requests and can decide on purchases. [Get more info](https://docs.microsoft.com/microsoft-store/acquire-apps-microsoft-store-for-business#allow-app-requests) diff --git a/store-for-business/whats-new-microsoft-store-business-education.md b/store-for-business/whats-new-microsoft-store-business-education.md index f75698bd74..39896e6c80 100644 --- a/store-for-business/whats-new-microsoft-store-business-education.md +++ b/store-for-business/whats-new-microsoft-store-business-education.md @@ -8,7 +8,7 @@ ms.pagetype: store author: TrudyHa ms.author: TrudyHa ms.topic: conceptual -ms.date: 09/27/2018 +ms.date: 10/31/2018 --- # What's new in Microsoft Store for Business and Education @@ -17,10 +17,10 @@ Microsoft Store for Business and Education regularly releases new and improved f ## Latest updates for Store for Business and Education -**September 2018** +**October 2018** | | | |-----------------------|---------------------------------| -| ![Private store performance icon](images/perf-improvement-icon.png) |**Performance improvements**

    With updates and improvements in the private store, most changes, like adding an app, will take fifteen minutes or less. If you make multiple changes at once, they may show at different times within the fifteen minutes. On rare occasions, private store changes might take up to an hour.

    [Get more info](https://https://docs.microsoft.com/microsoft-store/manage-private-store-settings#private-store-performance)

    **Applies to**:
    Microsoft Store for Business
    Microsoft Store for Education | +| ![Security groups](images/security-groups-icon.png) |**Use security groups with Private store apps**

    On the details page for apps in your private store, you can set **Private store availability**. This allows you to choose which security groups can see an app in the private store.

    [Get more info](https://docs.microsoft.com/microsoft-store/app-inventory-management-microsoft-store-for-business#private-store-availability)

    **Applies to**:
    Microsoft Store for Business
    Microsoft Store for Education | Ihv_Configuring --> Configuring --> Associating --> Authenticating --> Connected --> Roaming --> Wait_For_Disconnected --> Disconnected --> Reset -- Filtering the ETW trace with the provided [TextAnalyisTool (TAT)](https://github.com/TextAnalysisTool/Releases) filter is an easy first step to determine where a failed connection setup is breaking down: +- Filtering the ETW trace with the provided [TextAnalyisTool (TAT)](Missing wifi.tat file) filter is an easy first step to determine where a failed connection setup is breaking down: Use the **FSM transition** trace filter to see the connection state machine. Example of a good connection setup: diff --git a/windows/client-management/data-collection-for-802-authentication.md b/windows/client-management/data-collection-for-802-authentication.md index 0a1952a064..f8a9d1a2c6 100644 --- a/windows/client-management/data-collection-for-802-authentication.md +++ b/windows/client-management/data-collection-for-802-authentication.md @@ -5,7 +5,7 @@ keywords: troubleshooting, data collection, data, 802.1x authentication, authent ms.prod: w10 ms.mktglfcycl: ms.sitesec: library -author: mikeblodge +author: kaushika-msft ms.localizationpriority: medium ms.author: mikeblodge ms.date: 10/29/2018 @@ -14,538 +14,371 @@ ms.date: 10/29/2018 # Data Collection for Troubleshooting 802.1x Authentication -## Steps to capture Wireless/Wired functionality logs - +## Capture wireless/wired functionality logs + +Use the following steps to collect wireless and wired logs on Windows and Windows Server: + 1. Create C:\MSLOG on the client machine to store captured logs. -2. Launch a command prompt as an administrator on the client machine, and run the following commands to start RAS trace log and Wireless/Wired scenario log: +2. Launch a command prompt as an administrator on the client machine, and run the following commands to start RAS trace log and Wireless/Wired scenario log. -**On Windows 8.1, Windows 10 Wireless Client** + **Wireless Windows 8.1 and Windows 10:** -```dos -netsh ras set tracing * enabled -``` -```dos -netsh trace start scenario=wlan,wlan\_wpp,wlan\_dbg,wireless\_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wireless\_cli.etl -``` + ``` + netsh ras set tracing * enabled + netsh trace start scenario=wlan,wlan\_wpp,wlan\_dbg,wireless\_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wireless\_cli.etl + ``` -**On Windows 7, Winodws 8 Wireless Client** -```dos -netsh ras set tracing * enabled -``` -```dos -netsh trace start scenario=wlan,wlan\_wpp,wlan\_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wireless\_cli.etl -``` + **Wireless Windows 7 and Windows 8:** + ``` + netsh ras set tracing * enabled + netsh trace start scenario=wlan,wlan\_wpp,wlan\_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wireless\_cli.etl + ``` -**On Wired network client** - -```dos -netsh ras set tracing * enabled -``` -```dos -netsh trace start scenario=lan globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wired\_cli.etl -``` + **Wired client, regardless of version** + ``` + netsh ras set tracing * enabled + netsh trace start scenario=lan globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wired\_cli.etl + ``` -3. Run the followind command to enable CAPI2 logging: - -```dos -wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:true -``` +3. Run the following command to enable CAPI2 logging: + + ``` + wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:true + ``` 4. Create C:\MSLOG on the NPS to store captured logs. 5. Launch a command prompt as an administrator on the NPS and run the following commands to start RAS trace log and Wireless/Wired scenario log: -**On Windows Server 2012 R2, Windows Server 2016 Wireless network** + **Windows Server 2012 R2, Windows Server 2016 wireless network:** - ```dos - netsh ras set tracing * enabled ``` - ```dos - netsh trace start scenario=wlan,wlan\_wpp,wlan\_dbg,wireless\_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wireless\_nps.etl + netsh ras set tracing * enabled + netsh trace start scenario=wlan,wlan\_wpp,wlan\_dbg,wireless\_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wireless\_nps.etl ``` -**On Windows Server 2008 R2, Winodws Server 2012 Wireless network** + **Windows Server 2008 R2, Windows Server 2012 wireless network** - ```dos - netsh ras set tracing * enabled ``` - ```dos - netsh trace start scenario=wlan,wlan\_wpp,wlan\_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wireless\_nps.etl + netsh ras set tracing * enabled + netsh trace start scenario=wlan,wlan\_wpp,wlan\_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wireless\_nps.etl ``` -**On wired network** + **Wired network** - ```dos - netsh ras set tracing * enabled ``` - ```dos - netsh trace start scenario=lan globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wired\_nps.etl + netsh ras set tracing * enabled + netsh trace start scenario=lan globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wired\_nps.etl ``` -6. Run the followind command to enable CAPI2 logging: +6. Run the following command to enable CAPI2 logging: - ```dos + ``` wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:true ``` - 7. Run the following command from the command prompt on the client machine and start PSR to capture screen images: - -> [!NOTE] -> When the mouse button is clicked, the cursor will blink in red while capturing a screen image. + > [!NOTE] + > When the mouse button is clicked, the cursor will blink in red while capturing a screen image. - ```dos + ``` psr /start /output c:\MSLOG\%computername%\_psr.zip /maxsc 100 ``` - 8. Repro the issue. - -9. Run the following command on the client machine to stop the PSR capturing: +9. Run the following command on the client PC to stop the PSR capturing: - ```dos - psr /stop - ``` + ``` + psr /stop + ``` 10. Run the following commands from the command prompt on the NPS. -**Stopping RAS trace log and Wireless scenario log** + - To stop RAS trace log and wireless scenario log: - ```dos - netsh trace stop - ``` - ```dos - netsh ras set tracing * disabled - ``` - -**Disabling and copying CAPI2 log** + ``` + netsh trace stop + netsh ras set tracing * disabled + ``` + - To disable and copy CAPI2 log: - ```dos - wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:false - ``` - ```dos - wevtutil.exe epl Microsoft-Windows-CAPI2/Operational C:\MSLOG\CAPI2\_%COMPUTERNAME%.evtx - ``` + ``` + wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:false + wevtutil.exe epl Microsoft-Windows-CAPI2/Operational C:\MSLOG\CAPI2\_%COMPUTERNAME%.evtx + ``` -11. Run the following commands from the prompt on the client machine. +11. Run the following commands on the client PC. + - To stop RAS trace log and wireless scenario log: + ``` + netsh trace stop + netsh ras set tracing * disabled + ``` -**Stopping RAS trace log and Wireless scenario log** + - To disable and copy the CAPI2 log: + ``` + wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:false + wevtutil.exe epl Microsoft-Windows-CAPI2/Operational C:\MSLOG\CAPI2\_%COMPUTERNAME%.evtx + ``` + +12. Save the following logs on the client and the NPS: + + **Client** + - C:\MSLOG\%computername%_psr.zip + - C:\MSLOG\CAPI2_%COMPUTERNAME%.evtx + - C:\MSLOG\%COMPUTERNAME%_wireless_cli.etl + - C:\MSLOG\%COMPUTERNAME%_wireless_cli.cab + - All log files and folders in %Systemroot%\Tracing + + **NPS** + - C:\MSLOG\%COMPUTERNAME%_CAPI2.evtx + - C:\MSLOG\%COMPUTERNAME%_wireless_nps.etl (%COMPUTERNAME%_wired_nps.etl for wired scenario) + - C:\MSLOG\%COMPUTERNAME%_wireless_nps.cab (%COMPUTERNAME%_wired_nps.cab for wired scenario) + - All log files and folders in %Systemroot%\Tracing - ```dos - netsh trace stop - ``` - ```dos - netsh ras set tracing * disabled - ``` - -**Disabling and copying CAPI2 log** +## Save environmental and configuration information + +### On Windows client - ```dos - wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:false - ``` - ```dos - wevtutil.exe epl Microsoft-Windows-CAPI2/Operational C:\MSLOG\CAPI2\_%COMPUTERNAME%.evtx - ``` - -12. Save the following logs on the client and the NPS. - -**Client** - - C:\MSLOG\%computername%_psr.zip - - C:\MSLOG\CAPI2_%COMPUTERNAME%.evtx - - C:\MSLOG\%COMPUTERNAME%_wireless_cli.etl - - C:\MSLOG\%COMPUTERNAME%_wireless_cli.cab - - All log files and folders in %Systemroot%\Tracing - -**NPS** - - C:\MSLOG\%COMPUTERNAME%_CAPI2.evtx - - C:\MSLOG\%COMPUTERNAME%_wireless_nps.etl (%COMPUTERNAME%_wired_nps.etl for wired scenario) - - C:\MSLOG\%COMPUTERNAME%_wireless_nps.cab (%COMPUTERNAME%_wired_nps.cab for wired scenario) - - All log files and folders in %Systemroot%\Tracing - - -### Steps to save environmental / configuration information - -**Client** 1. Create C:\MSLOG to store captured logs. 2. Launch a command prompt as an administrator. 3. Run the following commands. - - Environmental information and Group Policies application status - ```dos - gpresult /H C:\MSLOG\%COMPUTERNAME%\_gpresult.htm - - msinfo32 /report c:\MSLOG\%COMPUTERNAME%\_msinfo32.txt - - ipconfig /all > c:\MSLOG\%COMPUTERNAME%\_ipconfig.txt - - route print > c:\MSLOG\%COMPUTERNAME%\_route\_print.txt - ``` - -**Event logs** - -**Run the following command on Windows 8 and above ** -```dos -wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-System\_Operational.evtx - -wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-User\_Operational.evtx - -wevtutil epl Microsoft-Windows-CertificateServices-Deployment/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServices-Deployment\_Operational.evtx -``` - -```dos -wevtutil epl Application c:\MSLOG\%COMPUTERNAME%\_Application.evtx - -wevtutil epl System c:\MSLOG\%COMPUTERNAME%\_System.evtx - -wevtutil epl Security c:\MSLOG\%COMPUTERNAME%\_Security.evtx - -wevtutil epl Microsoft-Windows-GroupPolicy/Operational C:\MSLOG\%COMPUTERNAME%\_GroupPolicy\_Operational.evtx - -wevtutil epl "Microsoft-Windows-WLAN-AutoConfig/Operational" c:\MSLOG\%COMPUTERNAME%\_Microsoft-Windows-WLAN-AutoConfig-Operational.evtx - -wevtutil epl "Microsoft-Windows-Wired-AutoConfig/Operational" c:\MSLOG\%COMPUTERNAME%\_Microsoft-Windows-Wired-AutoConfig-Operational.evtx - -wevtutil epl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-CredentialRoaming\_Operational.evtx - -wevtutil epl Microsoft-Windows-CertPoleEng/Operational c:\MSLOG\%COMPUTERNAME%\_CertPoleEng\_Operational.evtx -``` - -**Certificates Store information** - -```dos -certutil.exe -v -silent -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-Personal-Registry.txt - -certutil.exe -v -silent -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-Registry.txt - -certutil.exe -v -silent -store -grouppolicy ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-GroupPolicy.txt - -certutil.exe -v -silent -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_TrustedRootCA-Enterprise.txt - -certutil.exe -v -silent -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Reg.txt - -certutil.exe -v -silent -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-GroupPolicy.txt - -certutil.exe -v -silent -store -enterprise TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Enterprise.txt - -certutil.exe -v -silent -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-Registry.txt - -certutil.exe -v -silent -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-GroupPolicy.txt - -certutil.exe -v -silent -store -enterprise CA > c:\MSLOG\%COMPUTERNAME%\_cert-Intermediate-Enterprise.txt - -certutil.exe -v -silent -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Registry.txt - -certutil.exe -v -silent -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-GroupPolicy.txt - -certutil.exe -v -silent -store -enterprise AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Enterprise.txt - -certutil.exe -v -silent -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Registry.txt - -certutil.exe -v -silent -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-GroupPolicy.txt - -certutil.exe -v -silent -store -enterprise SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Enterprise.txt - -certutil.exe -v -silent -store -enterprise NTAUTH > c:\MSLOG\%COMPUTERNAME%\_cert-NtAuth-Enterprise.txt - -certutil.exe -v -silent -user -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-User-Personal-Registry.txt - -certutil.exe -v -silent -user -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Registry.txt - -certutil.exe -v -silent -user -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Enterprise.txt - -certutil.exe -v -silent -user -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-Registry.txt - -certutil.exe -v -silent -user -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-GroupPolicy.txt - -certutil.exe -v -silent -user -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-Registry.txt - -certutil.exe -v -silent -user -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-GroupPolicy.txt - -certutil.exe -v -silent -user -store Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-Registry.txt - -certutil.exe -v -silent -user -store -grouppolicy Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-GroupPolicy.txt - -certutil.exe -v -silent -user -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-Registry.txt - -certutil.exe -v -silent -user -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-GroupPolicy.txt - -certutil.exe -v -silent -user -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-Registry.txt - -certutil.exe -v -silent -user -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-GroupPolicy.txt - -certutil.exe -v -silent -user -store UserDS > c:\MSLOG\%COMPUTERNAME%\_cert-User-UserDS.txt -``` - -**Wireless LAN Client information** -```dos -netsh wlan show all > c:\MSLOG\%COMPUTERNAME%\_wlan\_show\_all.txt - -netsh wlan export profile folder=c:\MSLOG\ -``` - -**Wired LAN Client information** -```dos -netsh lan show all > c:\MSLOG\%COMPUTERNAME%\_lan\_show\_all.txt - -netsh lan export profile folder=c:\MSLOG\ -``` - -4. Save the logs stored in C:\MSLOG. - - -**NPS** - 1. Create C:\MSLOG to store captured logs. - 2. Launch a command prompt as an administrator. - 3. Run the following commands: - - **Environmental information and Group Policies application status** - - ```dos - gpresult /H C:\MSLOG\%COMPUTERNAME%\_gpresult.txt - + - Environmental information and Group Policies application status + + ``` + gpresult /H C:\MSLOG\%COMPUTERNAME%\_gpresult.htm + msinfo32 /report c:\MSLOG\%COMPUTERNAME%\_msinfo32.txt + ipconfig /all > c:\MSLOG\%COMPUTERNAME%\_ipconfig.txt + route print > c:\MSLOG\%COMPUTERNAME%\_route\_print.txt + ``` + - Event logs + + ``` + wevtutil epl Application c:\MSLOG\%COMPUTERNAME%\_Application.evtx + wevtutil epl System c:\MSLOG\%COMPUTERNAME%\_System.evtx + wevtutil epl Security c:\MSLOG\%COMPUTERNAME%\_Security.evtx + wevtutil epl Microsoft-Windows-GroupPolicy/Operational C:\MSLOG\%COMPUTERNAME%\_GroupPolicy\_Operational.evtx + wevtutil epl "Microsoft-Windows-WLAN-AutoConfig/Operational" c:\MSLOG\%COMPUTERNAME%\_Microsoft-Windows-WLAN-AutoConfig-Operational.evtx + wevtutil epl "Microsoft-Windows-Wired-AutoConfig/Operational" c:\MSLOG\%COMPUTERNAME%\_Microsoft-Windows-Wired-AutoConfig-Operational.evtx + wevtutil epl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-CredentialRoaming\_Operational.evtx + wevtutil epl Microsoft-Windows-CertPoleEng/Operational c:\MSLOG\%COMPUTERNAME%\_CertPoleEng\_Operational.evtx + ``` + - For Windows 8 and later, also run these commands for event logs: + + ``` + wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-System\_Operational.evtx + wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-User\_Operational.evtx + wevtutil epl Microsoft-Windows-CertificateServices-Deployment/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServices-Deployment\_Operational.evtx + ``` + - Certificates Store information: + + ``` + certutil.exe -v -silent -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-Personal-Registry.txt + certutil.exe -v -silent -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-Registry.txt + certutil.exe -v -silent -store -grouppolicy ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-GroupPolicy.txt + certutil.exe -v -silent -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_TrustedRootCA-Enterprise.txt + certutil.exe -v -silent -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Reg.txt + certutil.exe -v -silent -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-GroupPolicy.txt + certutil.exe -v -silent -store -enterprise TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Enterprise.txt + certutil.exe -v -silent -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-Registry.txt + certutil.exe -v -silent -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-GroupPolicy.txt + certutil.exe -v -silent -store -enterprise CA > c:\MSLOG\%COMPUTERNAME%\_cert-Intermediate-Enterprise.txt + certutil.exe -v -silent -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Registry.txt + certutil.exe -v -silent -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-GroupPolicy.txt + certutil.exe -v -silent -store -enterprise AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Enterprise.txt + certutil.exe -v -silent -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Registry.txt + certutil.exe -v -silent -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-GroupPolicy.txt + certutil.exe -v -silent -store -enterprise SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Enterprise.txt + certutil.exe -v -silent -store -enterprise NTAUTH > c:\MSLOG\%COMPUTERNAME%\_cert-NtAuth-Enterprise.txt + certutil.exe -v -silent -user -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-User-Personal-Registry.txt + certutil.exe -v -silent -user -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Registry.txt + certutil.exe -v -silent -user -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Enterprise.txt + certutil.exe -v -silent -user -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-Registry.txt + certutil.exe -v -silent -user -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-GroupPolicy.txt + certutil.exe -v -silent -user -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-Registry.txt + certutil.exe -v -silent -user -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-GroupPolicy.txt + certutil.exe -v -silent -user -store Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-Registry.txt + certutil.exe -v -silent -user -store -grouppolicy Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-GroupPolicy.txt + certutil.exe -v -silent -user -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-Registry.txt + certutil.exe -v -silent -user -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-GroupPolicy.txt + certutil.exe -v -silent -user -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-Registry.txt + certutil.exe -v -silent -user -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-GroupPolicy.txt + certutil.exe -v -silent -user -store UserDS > c:\MSLOG\%COMPUTERNAME%\_cert-User-UserDS.txt + ``` + - Wireless LAN client information: + + ``` + netsh wlan show all > c:\MSLOG\%COMPUTERNAME%\_wlan\_show\_all.txt + netsh wlan export profile folder=c:\MSLOG\ + ``` + - Wired LAN Client information + + ``` + netsh lan show all > c:\MSLOG\%COMPUTERNAME%\_lan\_show\_all.txt + netsh lan export profile folder=c:\MSLOG\ + ``` +4. Save the logs stored in C:\MSLOG. + +### On NPS + +1. Create C:\MSLOG to store captured logs. +2. Launch a command prompt as an administrator. +3. Run the following commands. + - Environmental information and Group Policies application status: + + ``` + gpresult /H C:\MSLOG\%COMPUTERNAME%\_gpresult.txt msinfo32 /report c:\MSLOG\%COMPUTERNAME%\_msinfo32.txt - ipconfig /all > c:\MSLOG\%COMPUTERNAME%\_ipconfig.txt - route print > c:\MSLOG\%COMPUTERNAME%\_route\_print.txt ``` + - Event logs: + + ``` + wevtutil epl Application c:\MSLOG\%COMPUTERNAME%\_Application.evtx + wevtutil epl System c:\MSLOG\%COMPUTERNAME%\_System.evtx + wevtutil epl Security c:\MSLOG\%COMPUTERNAME%\_Security.evtx + wevtutil epl Microsoft-Windows-GroupPolicy/Operational c:\MSLOG\%COMPUTERNAME%\_GroupPolicy\_Operational.evtx + wevtutil epl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-CredentialRoaming\_Operational.evtx + wevtutil epl Microsoft-Windows-CertPoleEng/Operational c:\MSLOG\%COMPUTERNAME%\_CertPoleEng\_Operational.evtx + ``` + - Run the following 3 commands on Windows Server 2012 and later: + + ``` + wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-System\_Operational.evtx + wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-User\_Operational.evtx + wevtutil epl Microsoft-Windows-CertificateServices-Deployment/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServices-Deployment\_Operational.evtx + ``` + - Certificates store information + + ``` + certutil.exe -v -silent -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-Personal-Registry.txt + certutil.exe -v -silent -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-Registry.txt + certutil.exe -v -silent -store -grouppolicy ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-GroupPolicy.txt + certutil.exe -v -silent -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_TrustedRootCA-Enterprise.txt + certutil.exe -v -silent -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Reg.txt + certutil.exe -v -silent -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-GroupPolicy.txt + certutil.exe -v -silent -store -enterprise TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Enterprise.txt + certutil.exe -v -silent -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-Registry.txt + certutil.exe -v -silent -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-GroupPolicy.txt + certutil.exe -v -silent -store -enterprise CA > c:\MSLOG\%COMPUTERNAME%\_cert-Intermediate-Enterprise.txt + certutil.exe -v -silent -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Registry.txt + certutil.exe -v -silent -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-GroupPolicy.txt + certutil.exe -v -silent -store -enterprise AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Enterprise.txt + certutil.exe -v -silent -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Registry.txt + certutil.exe -v -silent -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-GroupPolicy.txt + certutil.exe -v -silent -store -enterprise SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Enterprise.txt + certutil.exe -v -silent -store -enterprise NTAUTH > c:\MSLOG\%COMPUTERNAME%\_cert-NtAuth-Enterprise.txt + certutil.exe -v -silent -user -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-User-Personal-Registry.txt + certutil.exe -v -silent -user -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Registry.txt + certutil.exe -v -silent -user -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Enterprise.txt + certutil.exe -v -silent -user -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-Registry.txt + certutil.exe -v -silent -user -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-GroupPolicy.txt + certutil.exe -v -silent -user -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-Registry.txt + certutil.exe -v -silent -user -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-GroupPolicy.txt + certutil.exe -v -silent -user -store Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-Registry.txt + certutil.exe -v -silent -user -store -grouppolicy Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-GroupPolicy.txt + certutil.exe -v -silent -user -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-Registry.txt + certutil.exe -v -silent -user -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-GroupPolicy.txt + certutil.exe -v -silent -user -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-Registry.txt + certutil.exe -v -silent -user -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-GroupPolicy.txt + certutil.exe -v -silent -user -store UserDS > c:\MSLOG\%COMPUTERNAME%\_cert-User-UserDS.txt + ``` + - NPS configuration information: + + ``` + netsh nps show config > C:\MSLOG\%COMPUTERNAME%\_nps\_show\_config.txt + netsh nps export filename=C:\MSLOG\%COMPUTERNAME%\_nps\_export.xml exportPSK=YES + ``` +3. Take the following steps to save an NPS accounting log. + 1. Open **Administrative tools > Network Policy Server**. + 2. On the Network Policy Server administration tool, select **Accounting** in the left pane. + 3. Click **Change Log File Properties**. + 4. On the **Log File** tab, note the log file naming convention shown as **Name** and the log file location shown in **Directory** box. + 5. Copy the log file to C:\MSLOG. -**Event logs** -**Run the following 3 commands on Windows Server 2012 and above:** -```dos -wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-System\_Operational.evtx - -wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-User\_Operational.evtx - -wevtutil epl Microsoft-Windows-CertificateServices-Deployment/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServices-Deployment\_Operational.evtx -``` +4. Save the logs stored in C:\MSLOG. -```dos -wevtutil epl Application c:\MSLOG\%COMPUTERNAME%\_Application.evtx - -wevtutil epl System c:\MSLOG\%COMPUTERNAME%\_System.evtx - -wevtutil epl Security c:\MSLOG\%COMPUTERNAME%\_Security.evtx - -wevtutil epl Microsoft-Windows-GroupPolicy/Operational c:\MSLOG\%COMPUTERNAME%\_GroupPolicy\_Operational.evtx - -wevtutil epl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-CredentialRoaming\_Operational.evtx - -wevtutil epl Microsoft-Windows-CertPoleEng/Operational c:\MSLOG\%COMPUTERNAME%\_CertPoleEng\_Operational.evtx -``` +### Certificate Authority (CA) (OPTIONAL) -**Certificates store information** -```dos -certutil.exe -v -silent -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-Personal-Registry.txt - -certutil.exe -v -silent -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-Registry.txt - -certutil.exe -v -silent -store -grouppolicy ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-GroupPolicy.txt - -certutil.exe -v -silent -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_TrustedRootCA-Enterprise.txt - -certutil.exe -v -silent -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Reg.txt - -certutil.exe -v -silent -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-GroupPolicy.txt - -certutil.exe -v -silent -store -enterprise TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Enterprise.txt - -certutil.exe -v -silent -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-Registry.txt - -certutil.exe -v -silent -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-GroupPolicy.txt - -certutil.exe -v -silent -store -enterprise CA > c:\MSLOG\%COMPUTERNAME%\_cert-Intermediate-Enterprise.txt - -certutil.exe -v -silent -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Registry.txt - -certutil.exe -v -silent -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-GroupPolicy.txt - -certutil.exe -v -silent -store -enterprise AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Enterprise.txt - -certutil.exe -v -silent -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Registry.txt - -certutil.exe -v -silent -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-GroupPolicy.txt - -certutil.exe -v -silent -store -enterprise SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Enterprise.txt - -certutil.exe -v -silent -store -enterprise NTAUTH > c:\MSLOG\%COMPUTERNAME%\_cert-NtAuth-Enterprise.txt - -certutil.exe -v -silent -user -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-User-Personal-Registry.txt - -certutil.exe -v -silent -user -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Registry.txt - -certutil.exe -v -silent -user -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Enterprise.txt - -certutil.exe -v -silent -user -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-Registry.txt - -certutil.exe -v -silent -user -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-GroupPolicy.txt - -certutil.exe -v -silent -user -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-Registry.txt - -certutil.exe -v -silent -user -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-GroupPolicy.txt - -certutil.exe -v -silent -user -store Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-Registry.txt - -certutil.exe -v -silent -user -store -grouppolicy Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-GroupPolicy.txt - -certutil.exe -v -silent -user -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-Registry.txt - -certutil.exe -v -silent -user -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-GroupPolicy.txt - -certutil.exe -v -silent -user -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-Registry.txt - -certutil.exe -v -silent -user -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-GroupPolicy.txt - -certutil.exe -v -silent -user -store UserDS > c:\MSLOG\%COMPUTERNAME%\_cert-User-UserDS.txt -``` - -**NPS configuration information** -```dos -netsh nps show config > C:\MSLOG\%COMPUTERNAME%\_nps\_show\_config.txt - -netsh nps export filename=C:\MSLOG\%COMPUTERNAME%\_nps\_export.xml exportPSK=YES -``` - -3. Take the following steps to save an NPS accounting log: -4. Launch **Administrative tools** - **Network Policy Server**. - - On the Network Policy Server administration tool, select **Accounting** in the left pane. - - Click **Change Log File Properties** in the right pane. - - Click the **Log File** tab, note the log file naming convention shown as *Name* and the log file location shown in the **Directory** box. - - Copy the log file to C:\MSLOG. - - Save the logs stored in C:\MSLOG. - - -**Certificate Authority (CA)** *Optional* - -1. On a CA, launch a command prompt as an administrator. -2. Create C:\MSLOG to store captured logs. -3. Run the following commands: - -Environmental information and Group Policies application status - -```dos -gpresult /H C:\MSLOG\%COMPUTERNAME%\_gpresult.txt - -msinfo32 /report c:\MSLOG\%COMPUTERNAME%\_msinfo32.txt - -ipconfig /all > c:\MSLOG\%COMPUTERNAME%\_ipconfig.txt - -route print > c:\MSLOG\%COMPUTERNAME%\_route\_print.txt -``` - -**Event logs** - -**Run the following 3 lines on Windows 2012 and up:** - -```dos -wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-System\_Operational.evtx - -wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-User\_Operational.evtx - -wevtutil epl Microsoft-Windows-CertificateServices-Deployment/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServices-Deployment\_Operational.evtx -``` - -```dos -wevtutil epl Application c:\MSLOG\%COMPUTERNAME%\_Application.evtx - -wevtutil epl System c:\MSLOG\%COMPUTERNAME%\_System.evtx - -wevtutil epl Security c:\MSLOG\%COMPUTERNAME%\_Security.evtx - -wevtutil epl Microsoft-Windows-GroupPolicy/Operational c:\MSLOG\%COMPUTERNAME%\_GroupPolicy\_Operational.evtx - -wevtutil epl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-CredentialRoaming\_Operational.evtx - -wevtutil epl Microsoft-Windows-CertPoleEng/Operational c:\MSLOG\%COMPUTERNAME%\_CertPoleEng\_Operational.evtx -``` - -**Certificates store information** - -```dos -certutil.exe -v -silent -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-Personal-Registry.txt - -certutil.exe -v -silent -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-Registry.txt - -certutil.exe -v -silent -store -grouppolicy ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-GroupPolicy.txt - -certutil.exe -v -silent -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_TrustedRootCA-Enterprise.txt - -certutil.exe -v -silent -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Reg.txt - -certutil.exe -v -silent -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-GroupPolicy.txt - -certutil.exe -v -silent -store -enterprise TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Enterprise.txt - -certutil.exe -v -silent -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-Registry.txt - -certutil.exe -v -silent -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-GroupPolicy.txt - -certutil.exe -v -silent -store -enterprise CA > c:\MSLOG\%COMPUTERNAME%\_cert-Intermediate-Enterprise.txt - -certutil.exe -v -silent -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Registry.txt - -certutil.exe -v -silent -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-GroupPolicy.txt - -certutil.exe -v -silent -store -enterprise AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Enterprise.txt - -certutil.exe -v -silent -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Registry.txt - -certutil.exe -v -silent -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-GroupPolicy.txt - -certutil.exe -v -silent -store -enterprise SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Enterprise.txt - -certutil.exe -v -silent -store -enterprise NTAUTH > c:\MSLOG\%COMPUTERNAME%\_cert-NtAuth-Enterprise.txt - -certutil.exe -v -silent -user -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-User-Personal-Registry.txt - -certutil.exe -v -silent -user -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Registry.txt - -certutil.exe -v -silent -user -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Enterprise.txt - -certutil.exe -v -silent -user -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-Registry.txt - -certutil.exe -v -silent -user -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-GroupPolicy.txt - -certutil.exe -v -silent -user -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-Registry.txt - -certutil.exe -v -silent -user -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-GroupPolicy.txt - -certutil.exe -v -silent -user -store Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-Registry.txt - -certutil.exe -v -silent -user -store -grouppolicy Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-GroupPolicy.txt - -certutil.exe -v -silent -user -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-Registry.txt - -certutil.exe -v -silent -user -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-GroupPolicy.txt - -certutil.exe -v -silent -user -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-Registry.txt - -certutil.exe -v -silent -user -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-GroupPolicy.txt - -certutil.exe -v -silent -user -store UserDS > c:\MSLOG\%COMPUTERNAME%\_cert-User-UserDS.txt -``` - -**CA configuration information** -```dos -reg save HKLM\System\CurrentControlSet\Services\CertSvc c:\MSLOG\%COMPUTERNAME%\_CertSvc.hiv - -reg export HKLM\System\CurrentControlSet\Services\CertSvc c:\MSLOG\%COMPUTERNAME%\_CertSvc.txt - -reg save HKLM\SOFTWARE\Microsoft\Cryptography c:\MSLOG\%COMPUTERNAME%\_Cryptography.hiv - -reg export HKLM\SOFTWARE\Microsoft\Cryptography c:\MSLOG\%COMPUTERNAME%\_Cryptography.tx -``` - -4. Copy the following files, if exist, to C:\MSLOG. %windir%\CAPolicy.inf -5. Log on to a domain controller and create C:\MSLOG to store captured logs. -6. Launch Windows PowerShell as an administrator. -7. Run the following PowerShell commandlets - - \* Replace the domain name in ";.. ,DC=test,DC=local"; with appropriate domain name. The example shows commands for ";test.local"; domain. -```powershell -Import-Module ActiveDirectory - -Get-ADObject -SearchBase ";CN=Public Key Services,CN=Services,CN=Configuration,DC=test,DC=local"; -Filter \* -Properties \* | fl \* > C:\MSLOG\Get-ADObject\_$Env:COMPUTERNAME.txt -``` -8. Save the following logs: -- All files in C:\MSLOG on the CA -- All files in C:\MSLOG on the domain controller +1. On a CA, launch a command prompt as an administrator. Create C:\MSLOG to store captured logs. +2. Run the following commands. + - Environmental information and Group Policies application status + + ``` + gpresult /H C:\MSLOG\%COMPUTERNAME%\_gpresult.txt + msinfo32 /report c:\MSLOG\%COMPUTERNAME%\_msinfo32.txt + ipconfig /all > c:\MSLOG\%COMPUTERNAME%\_ipconfig.txt + route print > c:\MSLOG\%COMPUTERNAME%\_route\_print.txt + ``` + - Event logs + + ``` + wevtutil epl Application c:\MSLOG\%COMPUTERNAME%\_Application.evtx + wevtutil epl System c:\MSLOG\%COMPUTERNAME%\_System.evtx + wevtutil epl Security c:\MSLOG\%COMPUTERNAME%\_Security.evtx + wevtutil epl Microsoft-Windows-GroupPolicy/Operational c:\MSLOG\%COMPUTERNAME%\_GroupPolicy\_Operational.evtx + wevtutil epl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-CredentialRoaming\_Operational.evtx + wevtutil epl Microsoft-Windows-CertPoleEng/Operational c:\MSLOG\%COMPUTERNAME%\_CertPoleEng\_Operational.evtx + ``` + - Run the following 3 lines on Windows 2012 and up + + ``` + wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-System\_Operational.evtx + wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-User\_Operational.evtx + wevtutil epl Microsoft-Windows-CertificateServices-Deployment/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServices-Deployment\_Operational.evtx + ``` + - Certificates store information + + ``` + certutil.exe -v -silent -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-Personal-Registry.txt + certutil.exe -v -silent -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-Registry.txt + certutil.exe -v -silent -store -grouppolicy ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-GroupPolicy.txt + certutil.exe -v -silent -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_TrustedRootCA-Enterprise.txt + certutil.exe -v -silent -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Reg.txt + certutil.exe -v -silent -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-GroupPolicy.txt + certutil.exe -v -silent -store -enterprise TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Enterprise.txt + certutil.exe -v -silent -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-Registry.txt + certutil.exe -v -silent -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-GroupPolicy.txt + certutil.exe -v -silent -store -enterprise CA > c:\MSLOG\%COMPUTERNAME%\_cert-Intermediate-Enterprise.txt + certutil.exe -v -silent -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Registry.txt + certutil.exe -v -silent -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-GroupPolicy.txt + certutil.exe -v -silent -store -enterprise AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Enterprise.txt + certutil.exe -v -silent -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Registry.txt + certutil.exe -v -silent -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-GroupPolicy.txt + certutil.exe -v -silent -store -enterprise SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Enterprise.txt + certutil.exe -v -silent -store -enterprise NTAUTH > c:\MSLOG\%COMPUTERNAME%\_cert-NtAuth-Enterprise.txt + certutil.exe -v -silent -user -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-User-Personal-Registry.txt + certutil.exe -v -silent -user -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Registry.txt + certutil.exe -v -silent -user -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Enterprise.txt + certutil.exe -v -silent -user -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-Registry.txt + certutil.exe -v -silent -user -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-GroupPolicy.txt + certutil.exe -v -silent -user -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-Registry.txt + certutil.exe -v -silent -user -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-GroupPolicy.txt + certutil.exe -v -silent -user -store Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-Registry.txt + certutil.exe -v -silent -user -store -grouppolicy Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-GroupPolicy.txt + certutil.exe -v -silent -user -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-Registry.txt + certutil.exe -v -silent -user -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-GroupPolicy.txt + certutil.exe -v -silent -user -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-Registry.txt + certutil.exe -v -silent -user -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-GroupPolicy.txt + certutil.exe -v -silent -user -store UserDS > c:\MSLOG\%COMPUTERNAME%\_cert-User-UserDS.txt + ``` + - CA configuration information + + ``` + reg save HKLM\System\CurrentControlSet\Services\CertSvc c:\MSLOG\%COMPUTERNAME%\_CertSvc.hiv + reg export HKLM\System\CurrentControlSet\Services\CertSvc c:\MSLOG\%COMPUTERNAME%\_CertSvc.txt + reg save HKLM\SOFTWARE\Microsoft\Cryptography c:\MSLOG\%COMPUTERNAME%\_Cryptography.hiv + reg export HKLM\SOFTWARE\Microsoft\Cryptography c:\MSLOG\%COMPUTERNAME%\_Cryptography.tx + ``` +3. Copy the following files, if exist, to C:\MSLOG: %windir%\CAPolicy.inf +4. Log on to a domain controller and create C:\MSLOG to store captured logs. +5. Launch Windows PowerShell as an administrator. +6. Run the following PowerShell cmdlets. Replace the domain name in ";.. ,DC=test,DC=local"; with appropriate domain name. The example shows commands for ";test.local"; domain. + + ```powershell + Import-Module ActiveDirectory + Get-ADObject -SearchBase ";CN=Public Key Services,CN=Services,CN=Configuration,DC=test,DC=local"; -Filter \* -Properties \* | fl \* > C:\MSLOG\Get-ADObject\_$Env:COMPUTERNAME.txt + ``` +7. Save the following logs. + - All files in C:\MSLOG on the CA + - All files in C:\MSLOG on the domain controller diff --git a/windows/client-management/manage-settings-app-with-group-policy.md b/windows/client-management/manage-settings-app-with-group-policy.md index 231682d2b9..7b80381b7c 100644 --- a/windows/client-management/manage-settings-app-with-group-policy.md +++ b/windows/client-management/manage-settings-app-with-group-policy.md @@ -23,7 +23,13 @@ To make use of the Settings App group polices on Windows server 2016, install fi To centrally manage the new policies copy the ControlPanel.admx and ControlPanel.adml file to [Central Store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) if your company uses one or the PolicyDefinitions folder of the Domain Controllers used for Group Policy management. -This policy is available at **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Settings Page Visibility**. +This policy is available for both User and Computer depending on the version of the OS. Windows Server 2016 with KB 4457127 applied will have both User and Computer policy. Windows 10, version 1703, added Computer policy for the Settings app. Windows 10, version 1809, added User policy for the Settings app. + +Policy paths: + +**Computer Configuration** > **Administrative Templates** > **Control Panel** > **Settings Page Visibility**. + +**User Configuration** > **Administrative Templates** > **Control Panel** > **Settings Page Visibility**. ![Settings page visibility policy](images/settings-page-visibility-gp.png) @@ -32,7 +38,7 @@ This policy is available at **Computer Configuration** > **Administrative Templa The Group Policy can be configured in one of two ways: specify a list of pages that are shown or specify a list of pages to hide. To do this, add either **ShowOnly:** or **Hide:** followed by a semicolon delimited list of URIs in **Settings Page Visiblity**. For a full list of URIs, see the URI scheme reference section in [Launch the Windows Settings app](https://docs.microsoft.com/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference). >[!NOTE] -> When you specify the URI in the Settings Page Visbility textbox, don't include **ms-settings:** in the string. +> When you specify the URI in the Settings Page Visibility textbox, don't include **ms-settings:** in the string. Here are some examples: diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index 170d3d38f2..5d145ddd7f 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -225,7 +225,6 @@ #### [LanmanWorkstation](policy-csp-lanmanworkstation.md) #### [Licensing](policy-csp-licensing.md) #### [LocalPoliciesSecurityOptions](policy-csp-localpoliciessecurityoptions.md) -#### [Location](policy-csp-location.md) #### [LockDown](policy-csp-lockdown.md) #### [Maps](policy-csp-maps.md) #### [Messaging](policy-csp-messaging.md) diff --git a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md index 4e860c0b4b..8aa018c18c 100644 --- a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md +++ b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md @@ -79,7 +79,7 @@ Using the ICD, create a provisioning package using the enrollment information re 12. Enter the values for your package and specify the package output location. ![enter package information](images/bulk-enrollment3.png) - ![enter additonal information for package information](images/bulk-enrollment4.png) + ![enter additional information for package information](images/bulk-enrollment4.png) ![specify file location](images/bulk-enrollment6.png) 13. Click **Build**. diff --git a/windows/client-management/mdm/passportforwork-csp.md b/windows/client-management/mdm/passportforwork-csp.md index 4b08386596..7bc515edc2 100644 --- a/windows/client-management/mdm/passportforwork-csp.md +++ b/windows/client-management/mdm/passportforwork-csp.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 07/26/2018 +ms.date: 10/31/2018 --- # PassportForWork CSP @@ -212,7 +212,7 @@ Node for defining biometric settings. This node was added in Windows 10, versi **Biometrics/UseBiometrics** (only for ./Device/Vendor/MSFT) Boolean value used to enable or disable the use of biometric gestures, such as face and fingerprint, as an alternative to the PIN gesture for Windows Hello for Business. Users must still configure a PIN if they configure biometric gestures to use in case of failures. This node was added in Windows 10, version 1511. -Default value is false. If you set this policy to true, biometric gestures are enabled for use with Windows Hello for Business. If you set this policy to false, biometric gestures are disabled for use with Windows Hello for Business. +Default value is true, enabling the biometric gestures for use with Windows Hello for Business. If you set this policy to false, biometric gestures are disabled for use with Windows Hello for Business. diff --git a/windows/client-management/mdm/passportforwork-ddf.md b/windows/client-management/mdm/passportforwork-ddf.md index 6f65055513..79bf2a8409 100644 --- a/windows/client-management/mdm/passportforwork-ddf.md +++ b/windows/client-management/mdm/passportforwork-ddf.md @@ -21,7 +21,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic The XML below is for Windows 10, version 1809. -``` syntax +```xml False - Enables/Disables Dyanamic Lock + Enables/Disables Dynamic Lock @@ -1304,4 +1304,4 @@ Note that enhanced anti-spoofing for Windows Hello face authentication is not re -``` \ No newline at end of file +``` diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 04c4a70288..b8eeef6c2d 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -2280,13 +2280,7 @@ The following diagram shows the Policy configuration service provider in tree fo -### Location policies -

    -
    - Location/EnableLocation -
    -
    ### LockDown policies @@ -4678,7 +4672,6 @@ The following diagram shows the Policy configuration service provider in tree fo - [LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-switchtothesecuredesktopwhenpromptingforelevation) - [LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-useadminapprovalmode) - [LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-virtualizefileandregistrywritefailurestoperuserlocations) -- [Location/EnableLocation](./policy-csp-location.md#location-enablelocation) - [LockDown/AllowEdgeSwipe](./policy-csp-lockdown.md#lockdown-allowedgeswipe) - [MSSLegacy/AllowICMPRedirectsToOverrideOSPFGeneratedRoutes](./policy-csp-msslegacy.md#msslegacy-allowicmpredirectstooverrideospfgeneratedroutes) - [MSSLegacy/AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers](./policy-csp-msslegacy.md#msslegacy-allowthecomputertoignorenetbiosnamereleaserequestsexceptfromwinsservers) diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md index 996f6c944d..47f25fad53 100644 --- a/windows/client-management/mdm/policy-csp-defender.md +++ b/windows/client-management/mdm/policy-csp-defender.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 08/08/2018 +ms.date: 11/14/2018 --- # Policy CSP - Defender @@ -1366,7 +1366,7 @@ ADMX Info: > [!NOTE] > This policy is only enforced in Windows 10 for desktop. The previous name was GuardedFoldersAllowedApplications and changed to ControlledFolderAccessAllowedApplications. -Added in Windows 10, version 1709. This policy setting allows user-specified applications to the guard my folders feature. Adding an allowed application means the guard my folders feature will allow the application to modify or delete content in certain folders such as My Documents. In most cases it will not be necessary to add entries. Windows Defender Antivirus will automatically detect and dynamically add applications that are friendly. Value type is string. Use the | as the substring separator. +Added in Windows 10, version 1709. This policy setting allows user-specified applications to the controlled folder access feature. Adding an allowed application means the controlled folder access feature will allow the application to modify or delete content in certain folders such as My Documents. In most cases it will not be necessary to add entries. Windows Defender Antivirus will automatically detect and dynamically add applications that are friendly. Value type is string. Use the | as the substring separator. @@ -1421,7 +1421,7 @@ ADMX Info: > [!NOTE] > This policy is only enforced in Windows 10 for desktop. The previous name was GuardedFoldersList and changed to ControlledFolderAccessProtectedFolders. -Added in Windows 10, version 1709. This policy settings allows adding user-specified folder locations to the guard my folders feature. These folders will complement the system defined folders such as My Documents and My Pictures. The list of system folders will be displayed in the user interface and can not be changed. Value type is string. Use the | as the substring separator. +Added in Windows 10, version 1709. This policy settings allows adding user-specified folder locations to the controlled folder access feature. These folders will complement the system defined folders such as My Documents and My Pictures. The list of system folders will be displayed in the user interface and can not be changed. Value type is string. Use the | as the substring separator. @@ -1679,7 +1679,7 @@ ADMX Info: > [!NOTE] > This policy is only enforced in Windows 10 for desktop. The previous name was EnableGuardMyFolders and changed to EnableControlledFolderAccess. -Added in Windows 10, version 1709. This policy enables setting the state (On/Off/Audit) for the guard my folders feature. The guard my folders feature removes modify and delete permissions from untrusted applications to certain folders such as My Documents. Value type is integer and the range is 0 - 2. +Added in Windows 10, version 1709. This policy enables setting the state (On/Off/Audit) for the controlled folder access feature. The controlled folder access feature removes modify and delete permissions from untrusted applications to certain folders such as My Documents. Value type is integer and the range is 0 - 2. diff --git a/windows/client-management/mdm/policy-csp-location.md b/windows/client-management/mdm/policy-csp-location.md deleted file mode 100644 index 8745836c59..0000000000 --- a/windows/client-management/mdm/policy-csp-location.md +++ /dev/null @@ -1,105 +0,0 @@ ---- -title: Policy CSP - Location -description: Policy CSP - Location -ms.author: maricia -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: MariciaAlforque -ms.date: 08/09/2018 ---- - -# Policy CSP - Location - - - -
    - - -## Location policies - -
    -
    - Location/EnableLocation -
    -
    - - -
    - - -**Location/EnableLocation** - - - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
    - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1703. Optional policy that allows for IT admin to preconfigure whether or not Location Service's Device Switch is enabled or disabled for the device. Setting this policy is not required for Location Services to function. This policy controls a device wide state that affects all users, apps, and services ability to find the device's latitude and longitude on a map. There is a separate user switch that defines whether the location service is allowed to retrieve a position for the current user. In order to retrieve a position for a specific user, both the Device Switch and the User Switch must be enabled. If either is disabled, positions cannot be retrieved for the user. The user can later change both the User Switch and the Device Switch through the user interface on the Settings -> Privacy -> Location page. - -> [!IMPORTANT] -> This policy is not intended to ever be set, pushed, or refreshed more than one time after the first boot of the device because it is meant as initial configuration. Refreshing this policy might result in the Location Service's Device Switch changing state to something the user did not select, which is not an intended use for this policy. - - - -ADMX Info: -- GP English name: *Turn off Windows Location Provider* -- GP name: *DisableWindowsLocationProvider_1* -- GP path: *Windows Components/Location and Sensors/Windows Location Provider* -- GP ADMX file name: *LocationProviderAdm.admx* - - - -The following list shows the supported values: - -- 0 (default) – Disabled. -- 1 – Enabled. - - - -To validate on Desktop, do the following: - -1. Verify that Settings -> Privacy -> Location -> Location for this device is On/Off as expected. -2. Use Windows Maps Application (or similar) to see if a location can or cannot be obtained. - - - -
    - -Footnote: - -- 1 - Added in Windows 10, version 1607. -- 2 - Added in Windows 10, version 1703. -- 3 - Added in Windows 10, version 1709. -- 4 - Added in Windows 10, version 1803. - - - diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md index 6a7dbb8a95..99ad8fd29e 100644 --- a/windows/client-management/mdm/policy-csp-power.md +++ b/windows/client-management/mdm/policy-csp-power.md @@ -348,7 +348,7 @@ If you enable this policy setting, you must provide a value, in seconds, indicat If you disable or do not configure this policy setting, users control this setting. -If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. +If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. > [!TIP] @@ -412,7 +412,7 @@ If you enable this policy setting, you must provide a value, in seconds, indicat If you disable or do not configure this policy setting, users control this setting. -If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. +If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. > [!TIP] @@ -600,7 +600,7 @@ If you enable this policy setting, you must provide a value, in seconds, indicat If you disable or do not configure this policy setting, users control this setting. -If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. +If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. > [!TIP] diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 80185310fd..17ee63877e 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -1770,7 +1770,7 @@ For Quality Updates, this policy specifies the timing before transitioning from Value type is integer. Default value is 7 days. -Supported value range: 0 - 30. +Supported value range: 2 - 30. If you disable or do not configure this policy, the default behaviors will be used. @@ -1833,7 +1833,7 @@ For Feature Updates, this policy specifies the timing before transitioning from Value type is integer. Default value is 7 days. -Supported value range: 0 - 30. +Supported value range: 2 - 30. If you disable or do not configure this policy, the default behaviors will be used. diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md index 006ebdea5e..09b30b65c0 100644 --- a/windows/client-management/mdm/policy-csp-userrights.md +++ b/windows/client-management/mdm/policy-csp-userrights.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 03/12/2018 +ms.date: 10/31/2018 --- # Policy CSP - UserRights @@ -14,7 +14,7 @@ ms.date: 03/12/2018
    -User rights are assigned for user accounts or groups. The name of the policy defines the user right in question, and the values are always users or groups. Values can be represented as SIDs or strings. Here is a list for reference, [Well-Known SID Structures](https://msdn.microsoft.com/library/cc980032.aspx). Even though strings are supported for well-known accounts and groups, it is better to use SIDs because strings are localized for different languages. Some user rights allow things, like AccessFromNetwork, while others disallow things, like DenyAccessFromNetwork. +User rights are assigned for user accounts or groups. The name of the policy defines the user right in question, and the values are always users or groups. Values can be represented as SIDs or strings. Here is a list for reference, [Well-Known SID Structures](https://msdn.microsoft.com/library/cc980032.aspx). Even though strings are supported for well-known accounts and groups, it is better to use SIDs because strings are localized for different languages. Some user rights allow things like AccessFromNetwork, while others disallow things, like DenyAccessFromNetwork. Here is an example syncml for setting the user right BackupFilesAndDirectories for Administrators and Authenticated Users groups. @@ -40,7 +40,7 @@ Here is an example syncml for setting the user right BackupFilesAndDirectories f ``` -Here are examples of data fields. The encoded 0xF000 is the standard delimiter/separator +Here are examples of data fields. The encoded 0xF000 is the standard delimiter/separator. - Grant an user right to Administrators group via SID: ``` @@ -49,17 +49,17 @@ Here are examples of data fields. The encoded 0xF000 is the standard delimiter/s - Grant an user right to multiple groups (Administrators, Authenticated Users) via SID ``` - *S-1-5-32-544*S-1-5-11 + *S-1-5-32-544*S-1-5-11 ``` - Grant an user right to multiple groups (Administrators, Authenticated Users) via a mix of SID and Strings ``` - *S-1-5-32-544Authenticated Users + *S-1-5-32-544Authenticated Users ``` - Grant an user right to multiple groups (Authenticated Users, Administrators) via strings ``` - Authenticated UsersAdministrators + Authenticated UsersAdministrators ``` - Empty input indicates that there are no users configured to have that user right diff --git a/windows/client-management/mdm/understanding-admx-backed-policies.md b/windows/client-management/mdm/understanding-admx-backed-policies.md index 803eba81fb..be981913ce 100644 --- a/windows/client-management/mdm/understanding-admx-backed-policies.md +++ b/windows/client-management/mdm/understanding-admx-backed-policies.md @@ -202,7 +202,8 @@ The following SyncML examples describe how to set a MDM policy that is defined b (None) **Request SyncML** -``` + +```XML @@ -220,7 +221,8 @@ The following SyncML examples describe how to set a MDM policy that is defined b ``` **Response SyncML** -``` + +```XML 2 1 diff --git a/windows/client-management/windows-10-support-solutions.md b/windows/client-management/windows-10-support-solutions.md index c212eae7d8..d540b098dd 100644 --- a/windows/client-management/windows-10-support-solutions.md +++ b/windows/client-management/windows-10-support-solutions.md @@ -7,45 +7,54 @@ ms.sitesec: library ms.author: elizapo author: kaushika-msft ms.localizationpriority: medium -ms.date: 11/08/2017 +ms.date: 11/08/2018 --- # Top support solutions for Windows 10 Microsoft regularly releases both updates and solutions for Windows 10. To ensure your computers can receive future updates, including security updates, it's important to keep them updated. Check out the following links for a complete list of released updates: -- [Windows 10 Version 1703 update history](https://support.microsoft.com/help/4018124/) -- [Windows 10 Version 1607 update history](https://support.microsoft.com/help/4000825/) -- [Windows 10 Version 1511 update history](https://support.microsoft.com/help/4000824/) +- [Windows 10 version 1803 update history](https://support.microsoft.com/help/4099479) +- [Windows 10 version 1709 update history](https://support.microsoft.com/help/4043454) +- [Windows 10 Version 1703 update history](https://support.microsoft.com/help/4018124) +- [Windows 10 Version 1607 update history](https://support.microsoft.com/help/4000825) +- [Windows 10 Version 1511 update history](https://support.microsoft.com/help/4000824) These are the top Microsoft Support solutions for the most common issues experienced when using Windows 10 in an enterprise or IT pro environment. The links below include links to KB articles, updates, and library articles. -## Solutions related to installing Windows updates or hotfixes -- [Understanding the Windowsupdate.log file for advanced users](https://support.microsoft.com/help/4035760/understanding-the-windowsupdate-log-file-for-advanced-users) -- [You can't install updates on a Windows-based computer](https://support.microsoft.com/help/2509997/you-can-t-install-updates-on-a-windows-based-computer) -- [Get-WindowsUpdateLog](https://technet.microsoft.com/itpro/powershell/windows/windowsupdate/get-windowsupdatelog) -- [How to read the Windowsupdate.log file](https://support.microsoft.com/help/902093/how-to-read-the-windowsupdate-log-file) -- [Can't download updates from Windows Update from behind a firewall or proxy server](https://support.microsoft.com/help/3084568/can-t-download-updates-from-windows-update-from-behind-a-firewall-or-p) -- [Computer staged from a SysPrepped image doesn't receive WSUS updates](https://support.microsoft.com/help/4010909/computer-staged-from-a-sysprepped-image-doesn-t-receive-wsus-updates) -- [Servicing stack update for Windows 10 Version 1703: June 13, 2017](https://support.microsoft.com/help/4022405/servicingstackupdateforwindows10version1703june13-2017) -- [Servicing stack update for Windows 10 Version 1607 and Windows Server 2016: March 14, 2017](https://support.microsoft.com/help/4013418/servicing-stack-update-for-windows-10-version-1607-and-windows-server) +## Solutions related to installing Windows Updates +- [How does Windows Update work](https://docs.microsoft.com/en-us/windows/deployment/update/how-windows-update-works) +- [Windows Update log files](https://docs.microsoft.com/en-us/windows/deployment/update/windows-update-logs) +- [Windows Update troubleshooting](https://docs.microsoft.com/en-us/windows/deployment/update/windows-update-troubleshooting) +- [Windows Update common errors and mitigation](https://docs.microsoft.com/en-us/windows/deployment/update/windows-update-errors) +- [Windows Update - additional resources](https://docs.microsoft.com/en-us/windows/deployment/update/windows-update-resources) + +## Solutions related to installing or upgrading Windows + +- [Quick Fixes](https://docs.microsoft.com/en-us/windows/deployment/upgrade/quick-fixes) +- [Troubleshooting upgrade errors](https://docs.microsoft.com/en-us/windows/deployment/upgrade/troubleshoot-upgrade-errors) +- [Resolution procedures](https://docs.microsoft.com/en-us/windows/deployment/upgrade/resolution-procedures) +- ["0xc1800118" error when you push Windows 10 Version 1607 by using WSUS](https://support.microsoft.com/en-in/help/3194588/0xc1800118-error-when-you-push-windows-10-version-1607-by-using-wsus) +- [0xC1900101 error when Windows 10 upgrade fails after the second system restart](https://support.microsoft.com/en-in/help/3208485/0xc1900101-error-when-windows-10-upgrade-fails-after-the-second-system) + +## Solutions related to BitLocker + +- [BitLocker recovery guide](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan) +- [BitLocker: How to enable Network Unlock](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock) +- [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker) +- [BitLocker Group Policy settings](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings) ## Solutions related to Bugchecks or Stop Errors - [Troubleshooting Stop error problems for IT Pros](https://support.microsoft.com/help/3106831/troubleshooting-stop-error-problems-for-it-pros) - [How to use Windows Recovery Environment (WinRE) to troubleshoot common startup issues](https://support.microsoft.com/help/4026030/how-to-use-windows-recovery-environment-winre-to-troubleshoot-common-s) - [How to troubleshoot Windows-based computer freeze issues](https://support.microsoft.com/help/3118553/how-to-troubleshoot-windows-based-computer-freeze-issues) -- [Understanding Bugchecks](https://blogs.technet.microsoft.com/askperf/2007/12/18/understanding-bugchecks/) -- [Understanding Crash Dump Files](https://blogs.technet.microsoft.com/askperf/2008/01/08/understanding-crash-dump-files/) +- [Introduction of page file in Long-Term Servicing Channel and Semi-Annual Channel of Windows](https://support.microsoft.com/help/4133658) + + +## Solutions related to Windows Boot issues +- [Troubleshooting Windows boot problems for IT Pros](https://support.microsoft.com/help/4343769) +- [How to use Windows Recovery Environment (WinRE) to troubleshoot common startup issues](https://support.microsoft.com/help/4026030/how-to-use-windows-recovery-environment-winre-to-troubleshoot-common-s) -## Solutions related to installing or upgrading Windows -- [Resolve Windows 10 upgrade errors : Technical information for IT Pros](/windows/deployment/upgrade/resolve-windows-10-upgrade-errors) -- [Windows OOBE fails when you start a new Windows-based computer for the first time](https://support.microsoft.com/help/4020048/windows-oobe-fails-when-you-start-a-new-windows-based-computer-for-the) -- ["0xc1800118" error when you push Windows 10 Version 1607 by using WSUS](https://support.microsoft.com/help/3194588/-0xc1800118-error-when-you-push-windows-10-version-1607-by-using-wsus) -- [0xC1900101 error when Windows 10 upgrade fails after the second system restart](https://support.microsoft.com/help/3208485/0xc1900101-error-when-windows-10-upgrade-fails-after-the-second-system) -- [Updates fix in-place upgrade to Windows 10 version 1607 problem](https://support.microsoft.com/help/4020149/updates-fix-in-place-upgrade-to-windows-10-version-1607-problem) -- [OOBE update for Windows 10 Version 1703: May 9, 2017](https://support.microsoft.com/help/4020008) -- [OOBE update for Windows 10 Version 1607: May 30, 2017](https://support.microsoft.com/help/4022632) -- [OOBE update for Windows 10 Version 1511: May 30, 2017](https://support.microsoft.com/help/4022633) ## Solutions related to configuring or managing the Start menu - [Manage Windows 10 Start and taskbar layout](/windows/configuration/windows-10-start-layout-options-and-policies) @@ -57,7 +66,8 @@ These are the top Microsoft Support solutions for the most common issues experie - [Modern apps are blocked by security software when you start the applications on Windows 10 Version 1607](https://support.microsoft.com/help/4016973/modern-apps-are-blocked-by-security-software-when-you-start-the-applic) ## Solutions related to wireless networking and 802.1X authentication - +- [Advanced Troubleshooting Wireless Network](Connectivity]https://docs.microsoft.com/en-us/windows/client-management/advanced-troubleshooting-wireless-network-connectivity) +- [Advanced Troubleshooting 802.1x Authentication](https://docs.microsoft.com/en-us/windows/client-management/advanced-troubleshooting-802-authentication) +- [Troubleshooting Windows 802.11 Wireless Connections](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-vista/cc766215(v=ws.10)) +- [Troubleshooting Windows Secure 802.3 Wired Connections](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-vista/cc749352(v%3dws.10)) - [Windows 10 devices can't connect to an 802.1X environment](https://support.microsoft.com/kb/3121002) -- [Windows 10 wireless connection displays "Limited" status](https://support.microsoft.com/kb/3114149) -- [Computer that has VPN software installed can't detect wireless network after upgrading to Windows 10](https://support.microsoft.com/kb/3084164) diff --git a/windows/configuration/TOC.md b/windows/configuration/TOC.md index af4f71427d..b0498ec09f 100644 --- a/windows/configuration/TOC.md +++ b/windows/configuration/TOC.md @@ -1,5 +1,21 @@ # [Configure Windows 10](index.md) -## [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) +## [Accessibility information for IT Pros](windows-10-accessibility-for-ITPros.md) +## [Configure access to Microsoft Store](stop-employees-from-using-microsoft-store.md) +## [Cortana integration in your business or enterprise](cortana-at-work/cortana-at-work-overview.md) +### [Testing scenarios using Cortana in your business or organization](cortana-at-work/cortana-at-work-testing-scenarios.md) +#### [Test scenario 1 - Sign-in to Azure AD and use Cortana to manage the notebook](cortana-at-work/cortana-at-work-scenario-1.md) +#### [Test scenario 2 - Perform a quick search with Cortana at work](cortana-at-work/cortana-at-work-scenario-2.md) +#### [Test scenario 3 - Set a reminder for a specific location using Cortana at work](cortana-at-work/cortana-at-work-scenario-3.md) +#### [Test scenario 4 - Use Cortana at work to find your upcoming meetings](cortana-at-work/cortana-at-work-scenario-4.md) +#### [Test scenario 5 - Use Cortana to send email to a co-worker](cortana-at-work/cortana-at-work-scenario-5.md) +#### [Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email](cortana-at-work/cortana-at-work-scenario-6.md) +#### [Test scenario 7 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device](cortana-at-work/cortana-at-work-scenario-7.md) +### [Set up and test Cortana with Office 365 in your organization](cortana-at-work/cortana-at-work-o365.md) +### [Set up and test Cortana with Microsoft Dynamics CRM (Preview feature) in your organization](cortana-at-work/cortana-at-work-crm.md) +### [Set up and test Cortana for Power BI in your organization](cortana-at-work/cortana-at-work-powerbi.md) +### [Set up and test custom voice commands in Cortana for your organization](cortana-at-work/cortana-at-work-voice-commands.md) +### [Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization](cortana-at-work/cortana-at-work-policy-settings.md) +### [Send feedback about Cortana at work back to Microsoft](cortana-at-work/cortana-at-work-feedback.md) ## [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md) ## [Configure kiosks and digital signs on Windows desktop editions](kiosk-methods.md) ### [Prepare a device for kiosk configuration](kiosk-prepare.md) @@ -16,17 +32,6 @@ #### [Use Shell Launcher to create a Windows 10 kiosk](kiosk-shelllauncher.md) #### [Use MDM Bridge WMI Provider to create a Windows 10 kiosk](kiosk-mdm-bridge.md) #### [Troubleshoot multi-app kiosk](multi-app-kiosk-troubleshoot.md) -## [Configure Windows 10 Mobile devices](mobile-devices/configure-mobile.md) -### [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md) -### [Use Windows Configuration Designer to configure Windows 10 Mobile devices](mobile-devices/provisioning-configure-mobile.md) -#### [NFC-based device provisioning](mobile-devices/provisioning-nfc.md) -#### [Barcode provisioning and the package splitter tool](mobile-devices/provisioning-package-splitter.md) -### [Use the Lockdown Designer app to create a Lockdown XML file](mobile-devices/mobile-lockdown-designer.md) -### [Configure Windows 10 Mobile using Lockdown XML](mobile-devices/lockdown-xml.md) -### [Settings and quick actions that can be locked down in Windows 10 Mobile](mobile-devices/settings-that-can-be-locked-down.md) -### [Product IDs in Windows 10 Mobile](mobile-devices/product-ids-in-windows-10-mobile.md) -### [Start layout XML for mobile editions of Windows 10 (reference)](mobile-devices/start-layout-xml-mobile.md) -## [Configure cellular settings for tablets and PCs](provisioning-apn.md) ## [Configure Windows Spotlight on the lock screen](windows-spotlight.md) ## [Manage Windows 10 and Microsoft Store tips, "fun facts", and suggestions](manage-tips-and-suggestions.md) ## [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) @@ -38,23 +43,6 @@ ### [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) ### [Customize Windows 10 Start and taskbar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) ### [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md) -## [Cortana integration in your business or enterprise](cortana-at-work/cortana-at-work-overview.md) -### [Testing scenarios using Cortana in your business or organization](cortana-at-work/cortana-at-work-testing-scenarios.md) -#### [Test scenario 1 - Sign-in to Azure AD and use Cortana to manage the notebook](cortana-at-work/cortana-at-work-scenario-1.md) -#### [Test scenario 2 - Perform a quick search with Cortana at work](cortana-at-work/cortana-at-work-scenario-2.md) -#### [Test scenario 3 - Set a reminder for a specific location using Cortana at work](cortana-at-work/cortana-at-work-scenario-3.md) -#### [Test scenario 4 - Use Cortana at work to find your upcoming meetings](cortana-at-work/cortana-at-work-scenario-4.md) -#### [Test scenario 5 - Use Cortana to send email to a co-worker](cortana-at-work/cortana-at-work-scenario-5.md) -#### [Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email](cortana-at-work/cortana-at-work-scenario-6.md) -#### [Test scenario 7 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device](cortana-at-work/cortana-at-work-scenario-7.md) -### [Set up and test Cortana with Office 365 in your organization](cortana-at-work/cortana-at-work-o365.md) -### [Set up and test Cortana with Microsoft Dynamics CRM (Preview feature) in your organization](cortana-at-work/cortana-at-work-crm.md) -### [Set up and test Cortana for Power BI in your organization](cortana-at-work/cortana-at-work-powerbi.md) -### [Set up and test custom voice commands in Cortana for your organization](cortana-at-work/cortana-at-work-voice-commands.md) -### [Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization](cortana-at-work/cortana-at-work-policy-settings.md) -### [Send feedback about Cortana at work back to Microsoft](cortana-at-work/cortana-at-work-feedback.md) -## [Configure access to Microsoft Store](stop-employees-from-using-microsoft-store.md) -## [Accessibility information for IT Pros](windows-10-accessibility-for-ITPros.md) ## [Provisioning packages for Windows 10](provisioning-packages/provisioning-packages.md) ### [How provisioning works in Windows 10](provisioning-packages/provisioning-how-it-works.md) ### [Introduction to configuration service providers (CSPs)](provisioning-packages/how-it-pros-can-use-configuration-service-providers.md) @@ -135,6 +123,7 @@ #### [WindowsTeamSettings](wcd/wcd-windowsteamsettings.md) #### [WLAN](wcd/wcd-wlan.md) #### [Workplace](wcd/wcd-workplace.md) +## [Configure cellular settings for tablets and PCs](provisioning-apn.md) ## [Lockdown features from Windows Embedded 8.1 Industry](lockdown-features-windows-10.md) ## [User Experience Virtualization (UE-V) for Windows](ue-v/uev-for-windows.md) ### [Get Started with UE-V](ue-v/uev-getting-started.md) @@ -163,4 +152,15 @@ #### [Synchronizing Microsoft Office with UE-V](ue-v/uev-synchronizing-microsoft-office-with-uev.md) #### [Application Template Schema Reference for UE-V](ue-v/uev-application-template-schema-reference.md) #### [Security Considerations for UE-V](ue-v/uev-security-considerations.md) +## [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) +## [Configure Windows 10 Mobile devices](mobile-devices/configure-mobile.md) +### [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md) +### [Use Windows Configuration Designer to configure Windows 10 Mobile devices](mobile-devices/provisioning-configure-mobile.md) +#### [NFC-based device provisioning](mobile-devices/provisioning-nfc.md) +#### [Barcode provisioning and the package splitter tool](mobile-devices/provisioning-package-splitter.md) +### [Use the Lockdown Designer app to create a Lockdown XML file](mobile-devices/mobile-lockdown-designer.md) +### [Configure Windows 10 Mobile using Lockdown XML](mobile-devices/lockdown-xml.md) +### [Settings and quick actions that can be locked down in Windows 10 Mobile](mobile-devices/settings-that-can-be-locked-down.md) +### [Product IDs in Windows 10 Mobile](mobile-devices/product-ids-in-windows-10-mobile.md) +### [Start layout XML for mobile editions of Windows 10 (reference)](mobile-devices/start-layout-xml-mobile.md) ## [Change history for Configure Windows 10](change-history-for-configure-windows-10.md) diff --git a/windows/configuration/change-history-for-configure-windows-10.md b/windows/configuration/change-history-for-configure-windows-10.md index f14d66e522..d7be6815e1 100644 --- a/windows/configuration/change-history-for-configure-windows-10.md +++ b/windows/configuration/change-history-for-configure-windows-10.md @@ -10,13 +10,19 @@ ms.localizationpriority: medium author: jdeckerms ms.author: jdecker ms.topic: article -ms.date: 10/02/2018 +ms.date: 11/07/2018 --- # Change history for Configure Windows 10 This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for Windows 10 and Windows 10 Mobile. +## Novermber 2018 + +New or changed topic | Description +--- | --- +[Use MDM Bridge WMI Provider to create a Windows 10 kiosk](kiosk-mdm-bridge.md) | Updated script. + ## October 2018 New or changed topic | Description diff --git a/windows/configuration/index.md b/windows/configuration/index.md index b64b47fabf..6517e9e14f 100644 --- a/windows/configuration/index.md +++ b/windows/configuration/index.md @@ -21,19 +21,19 @@ Enterprises often need to apply custom configurations to devices for their users | Topic | Description | | --- | --- | -| [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) | Wi-Fi Sense automatically connects you to Wi-Fi, so you can get online quickly in more places. It can connect you to open Wi-Fi hotspots it knows about through crowdsourcing, or to Wi-Fi networks your contacts have shared with you by using Wi-Fi Sense. The initial settings for Wi-Fi Sense are determined by the options you chose when you first set up your PC with Windows 10. | +| [Accessibility information for IT Pros](windows-10-accessibility-for-ITPros.md) | Windows 10 includes accessibility features that benefit all users. These features make it easier to customize the computer and give users with different abilities options to improve their experience with Windows. This topic helps IT administrators learn about built-in accessibility features. | +| [Configure access to Microsoft Store](stop-employees-from-using-the-windows-store.md) | IT Pros can configure access to Microsoft Store for client computers in their organization. For some organizations, business policies require blocking access to Microsoft Store. | +| [Cortana integration in your business or enterprise](cortana-at-work/cortana-at-work-overview.md) | The world’s first personal digital assistant helps users get things done, even at work. Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and enterprise environments. | | [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md) | Windows 10, version 1607, introduced *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. | | [Configure kiosk and digital signage devices running Windows 10 desktop editions](kiosk-methods.md) | These topics help you configure Windows 10 devices to run as a kiosk device. | -| [Configure Windows 10 Mobile devices](mobile-devices/configure-mobile.md) | These topics help you configure the features and apps and Start screen for a device running Windows 10 Mobile, as well as how to configure a kiosk device that runs a single app. | -| [Configure cellular settings for tablets and PCs](provisioning-apn.md) | Enterprises can provision cellular settings for tablets and PC with built-in cellular modems or plug-in USB modem dongles. | | [Windows Spotlight on the lock screen](windows-spotlight.md) | Windows Spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen.

    **Note:** You can also use the [Personalization CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/personalization-csp) settings to set lock screen and desktop background images. | | [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](manage-tips-and-suggestions.md) | Options to manage the tips, tricks, and suggestions offered by Windows and Microsoft Store. | | [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) | Organizations might want to deploy a customized Start screen and menu to devices running Windows 10 Pro, Enterprise, or Education. A standard Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. | -| [Cortana integration in your business or enterprise](cortana-at-work/cortana-at-work-overview.md) | The world’s first personal digital assistant helps users get things done, even at work. Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and enterprise environments. | -| [Configure access to Microsoft Store](stop-employees-from-using-the-windows-store.md) | IT Pros can configure access to Microsoft Store for client computers in their organization. For some organizations, business policies require blocking access to Microsoft Store. | -| [Accessibility information for IT Pros](windows-10-accessibility-for-ITPros.md) | Windows 10 includes accessibility features that benefit all users. These features make it easier to customize the computer and give users with different abilities options to improve their experience with Windows. This topic helps IT administrators learn about built-in accessibility features. | | [Provisioning packages for Windows 10](provisioning-packages/provisioning-packages.md) | Learn how to use the Windows Configuration Designer and provisioning packages to easily configure multiple devices. | +| [Configure cellular settings for tablets and PCs](provisioning-apn.md) | Enterprises can provision cellular settings for tablets and PC with built-in cellular modems or plug-in USB modem dongles. | | [Lockdown features from Windows Embedded 8.1 Industry](lockdown-features-windows-10.md) | Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10. | +| [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) | Wi-Fi Sense automatically connects you to Wi-Fi, so you can get online quickly in more places. It can connect you to open Wi-Fi hotspots it knows about through crowdsourcing, or to Wi-Fi networks your contacts have shared with you by using Wi-Fi Sense. The initial settings for Wi-Fi Sense are determined by the options you chose when you first set up your PC with Windows 10.| +| [Configure Windows 10 Mobile devices](mobile-devices/configure-mobile.md) | These topics help you configure the features and apps and Start screen for a device running Windows 10 Mobile, as well as how to configure a kiosk device that runs a single app. | | [Change history for Configure Windows 10](change-history-for-configure-windows-10.md) | This topic lists new and updated topics in the Configure Windows 10 documentation for Windows 10 and Windows 10 Mobile. | diff --git a/windows/configuration/kiosk-mdm-bridge.md b/windows/configuration/kiosk-mdm-bridge.md index 9738a64aae..bb333f0c3f 100644 --- a/windows/configuration/kiosk-mdm-bridge.md +++ b/windows/configuration/kiosk-mdm-bridge.md @@ -8,7 +8,7 @@ ms.mktglfcycl: manage ms.sitesec: library author: jdeckerms ms.localizationpriority: medium -ms.date: 07/30/2018 +ms.date: 11/07/2018 --- # Use MDM Bridge WMI Provider to create a Windows 10 kiosk @@ -32,55 +32,55 @@ $nameSpaceName="root\cimv2\mdm\dmmap" $className="MDM_AssignedAccess" $obj = Get-CimInstance -Namespace $namespaceName -ClassName $className $obj.Configuration = @" - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ]]> - - - - - - - MultiAppKioskUser - - - - +<?xml version="1.0" encoding="utf-8" ?> +<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"> + <Profiles> + <Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"> + <AllAppsList> + <AllowedApps> + <App AppUserModelId="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" /> + <App AppUserModelId="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" /> + <App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" /> + <App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" /> + <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" /> + <App DesktopAppPath="%windir%\system32\mspaint.exe" /> + <App DesktopAppPath="C:\Windows\System32\notepad.exe" /> + </AllowedApps> + </AllAppsList> + <StartLayout> + <![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"> + <LayoutOptions StartTileGroupCellWidth="6" /> + <DefaultLayoutOverride> + <StartLayoutCollection> + <defaultlayout:StartLayout GroupCellWidth="6"> + <start:Group Name="Group1"> + <start:Tile Size="4x4" Column="0" Row="0" AppUserModelID="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" /> + <start:Tile Size="2x2" Column="4" Row="2" AppUserModelID="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" /> + <start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" /> + <start:Tile Size="2x2" Column="4" Row="4" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" /> + <start:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" /> + </start:Group> + <start:Group Name="Group2"> + <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk" /> + <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk" /> + </start:Group> + </defaultlayout:StartLayout> + </StartLayoutCollection> + </DefaultLayoutOverride> + </LayoutModificationTemplate> + ]]> + </StartLayout> + <Taskbar ShowTaskbar="true"/> + </Profile> + </Profiles> + <Configs> + <Config> + <Account>MultiAppKioskUser</Account> + <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/> + </Config> + </Configs> +</AssignedAccessConfiguration> "@ - + Set-CimInstance -CimInstance $obj ``` diff --git a/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md b/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md index 585fe8822f..eea5619b50 100644 --- a/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md +++ b/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md @@ -84,7 +84,7 @@ Review the following tables for details about Office support in UE-V:

    Microsoft PowerPoint 2016

    Microsoft Project 2016

    Microsoft Publisher 2016

    -

    Microsoft SharePoint Designer 2013 (not udpated for 2016)

    +

    Microsoft SharePoint Designer 2013 (not updated for 2016)

    Microsoft Visio 2016

    Microsoft Word 2016

    Microsoft Office Upload Manager

    diff --git a/windows/configuration/wcd/wcd-devicemanagement.md b/windows/configuration/wcd/wcd-devicemanagement.md index 70a65ed02e..b245647edf 100644 --- a/windows/configuration/wcd/wcd-devicemanagement.md +++ b/windows/configuration/wcd/wcd-devicemanagement.md @@ -50,7 +50,7 @@ Use to configure device management settings. | ProtocolVersion | Select between **1.1** and **1.2** for the OMA DM protocol version that the server supports | | **Role** | Select between **Enterprise** and **Mobile Operator** for the role mask that the DM session runs with when it communicates with the server | | **ServerID** | Enter the OMA DM server's unique identifier for the current OMA DM account | -| SSLClientCertSearchCriteria | Specify the client certificate search criteria, by subject attribute and certficate stores. For details, see [DMAcc configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/dmacc-csp). | +| SSLClientCertSearchCriteria | Specify the client certificate search criteria, by subject attribute and certificate stores. For details, see [DMAcc configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/dmacc-csp). | | UseHardwareDeviceID | Specify whether to use the hardware ID for the ./DevInfo/DevID parameter in the DM account to identify the device | | UseNonceResync | Specify whether the OMA DM client should use the nonce resynchronization procedure if the server trigger notification fails authentication | @@ -90,4 +90,4 @@ In **PROVURL**, enter the URL for a Trusted Provisioning Server (TPS). ## Related topics - [DMAcc configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/dmacc-csp) -- [PXLOGICAL CSP](https://docs.microsoft.com/windows/client-management/mdm/pxlogical-csp) \ No newline at end of file +- [PXLOGICAL CSP](https://docs.microsoft.com/windows/client-management/mdm/pxlogical-csp) diff --git a/windows/configuration/wcd/wcd-policies.md b/windows/configuration/wcd/wcd-policies.md index 612721dfdc..5da3446971 100644 --- a/windows/configuration/wcd/wcd-policies.md +++ b/windows/configuration/wcd/wcd-policies.md @@ -341,7 +341,7 @@ To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [EnableLocation](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#location-enablelocation) | Configure whether the Location Service's Device Switch is enabled or disabled for the device. | X | X | | | | +| [EnableLocation](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#location-enablelocation) | Do not use. | | | | | | ## Privacy diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md index ce9e1629c5..00acdc9318 100644 --- a/windows/deployment/TOC.md +++ b/windows/deployment/TOC.md @@ -215,6 +215,7 @@ ### [Quick guide to Windows as a service](update/waas-quick-start.md) #### [Servicing stack updates](update/servicing-stack-updates.md) ### [Overview of Windows as a service](update/waas-overview.md) +### [Understand how servicing differs in Windows 10](update/waas-servicing-differences.md) ### [Prepare servicing strategy for Windows 10 updates](update/waas-servicing-strategy-windows-10-updates.md) ### [Build deployment rings for Windows 10 updates](update/waas-deployment-rings-windows-10-updates.md) ### [Assign devices to servicing channels for Windows 10 updates](update/waas-servicing-channels-windows-10-updates.md) @@ -260,6 +261,7 @@ ##### [Step 1: Identify apps](upgrade/upgrade-readiness-identify-apps.md) ##### [Step 2: Resolve issues](upgrade/upgrade-readiness-resolve-issues.md) ##### [Step 3: Deploy Windows](upgrade/upgrade-readiness-deploy-windows.md) +##### [Step 4: Monitor deployment](upgrade/upgrade-readiness-monitor-deployment.md) ##### [Additional insights](upgrade/upgrade-readiness-additional-insights.md) ##### [Targeting a new operating system version](upgrade/upgrade-readiness-target-new-OS.md) ### [Monitor Windows Updates with Update Compliance](update/update-compliance-monitor.md) diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md index a70b584daf..c1d98d727b 100644 --- a/windows/deployment/deploy-enterprise-licenses.md +++ b/windows/deployment/deploy-enterprise-licenses.md @@ -73,7 +73,7 @@ For more information about integrating on-premises AD DS domains with Azure AD, ## Preparing for deployment: reviewing requirements -Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices), later in this topic. +Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices), later in this topic. ## Assigning licenses to users @@ -225,7 +225,7 @@ Use the following figures to help you troubleshoot when users experience these c ### Review requirements on devices -Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. You can use the following procedures to review whether a particular device meets requirements. +Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. You can use the following procedures to review whether a particular device meets requirements. **To determine if a device is Azure Active Directory joined:** diff --git a/windows/deployment/deploy-m365.md b/windows/deployment/deploy-m365.md index 6ea42e8bc1..f45a135986 100644 --- a/windows/deployment/deploy-m365.md +++ b/windows/deployment/deploy-m365.md @@ -7,7 +7,7 @@ ms.sitesec: library ms.pagetype: deploy keywords: deployment, automate, tools, configure, mdt, sccm, M365 ms.localizationpriority: medium -ms.date: 04/23/2018 +ms.date: 11/06/2018 author: greg-lindsay --- @@ -55,12 +55,8 @@ Examples of these two deployment advisors are shown below. ## Related Topics -[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) -  - -  - - +[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)
    +[Modern Destop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home) diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md index c18d4a269e..be1e1f9ea7 100644 --- a/windows/deployment/deploy-whats-new.md +++ b/windows/deployment/deploy-whats-new.md @@ -7,7 +7,7 @@ ms.localizationpriority: medium ms.prod: w10 ms.sitesec: library ms.pagetype: deploy -ms.date: 09/12/2018 +ms.date: 11/06/2018 author: greg-lindsay --- @@ -24,6 +24,9 @@ This topic provides an overview of new solutions and online content related to d - For an all-up overview of new features in Windows 10, see [What's new in Windows 10](https://technet.microsoft.com/itpro/windows/whats-new/index). - For a detailed list of changes to Windows 10 ITPro TechNet library content, see [Online content change history](#online-content-change-history). +## The Modern Desktop Deployment Center + +The [Modern Destop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home) has launched with tons of content to help you with large-scale deployment of Windows 10 and Office 365 ProPlus. ## Windows 10 servicing and support diff --git a/windows/deployment/deploy.md b/windows/deployment/deploy.md index a38657a7be..ff0a09c58c 100644 --- a/windows/deployment/deploy.md +++ b/windows/deployment/deploy.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: medium -ms.date: 11/02/2017 +ms.date: 11/06/2018 author: greg-lindsay --- @@ -29,6 +29,10 @@ Windows 10 upgrade options are discussed and information is provided about plann |[Windows 10 deployment tools](windows-10-deployment-tools-reference.md) |Learn about available tools to deploy Windows 10, such as the Windows ADK, DISM, USMT, WDS, MDT, Windows PE and more. | |[How to install fonts that are missing after upgrading to Windows 10](windows-10-missing-fonts.md)|Windows 10 introduced changes to the fonts that are included in the image by default. Learn how to install additional fonts from **Optional features** after you install Windows 10 or upgrade from a previous version.| +## Related topics + +[Modern Destop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home) +     diff --git a/windows/deployment/images/UR-driver-issue-detail.png b/windows/deployment/images/UR-driver-issue-detail.png new file mode 100644 index 0000000000..933b2e2346 Binary files /dev/null and b/windows/deployment/images/UR-driver-issue-detail.png differ diff --git a/windows/deployment/images/UR-example-feedback.png b/windows/deployment/images/UR-example-feedback.png new file mode 100644 index 0000000000..5a05bb54e1 Binary files /dev/null and b/windows/deployment/images/UR-example-feedback.png differ diff --git a/windows/deployment/images/UR-monitor-main.png b/windows/deployment/images/UR-monitor-main.png new file mode 100644 index 0000000000..83904d3be2 Binary files /dev/null and b/windows/deployment/images/UR-monitor-main.png differ diff --git a/windows/deployment/images/UR-update-progress-failed-detail.png b/windows/deployment/images/UR-update-progress-failed-detail.png new file mode 100644 index 0000000000..4e619ae27c Binary files /dev/null and b/windows/deployment/images/UR-update-progress-failed-detail.png differ diff --git a/windows/deployment/index.yml b/windows/deployment/index.yml index b3b1dbc226..0161bd05b1 100644 --- a/windows/deployment/index.yml +++ b/windows/deployment/index.yml @@ -46,6 +46,7 @@ sections: text: "
    + diff --git a/windows/deployment/planning/windows-10-fall-creators-deprecation.md b/windows/deployment/planning/windows-10-fall-creators-deprecation.md index 09045724dc..5b8b7ca418 100644 --- a/windows/deployment/planning/windows-10-fall-creators-deprecation.md +++ b/windows/deployment/planning/windows-10-fall-creators-deprecation.md @@ -6,7 +6,7 @@ ms.mktglfcycl: plan ms.localizationpriority: medium ms.sitesec: library author: lizap -ms.date: 10/09/2017 +ms.date: 10/30/2018 --- # Features that are removed or deprecated in Windows 10 Fall Creators Update @@ -31,7 +31,7 @@ For more information about a listed feature or functionality and its replacemen |**Reading List**
    Functionality to be integrated into Microsoft Edge.| X | | |**Resilient File System (ReFS)**
    Creation ability will be available in the following editions only: Windows 10 Enterprise and Windows 10 Pro for Workstations. Creation ability will be removed from all other editions. All other editions will have Read and Write ability.
    (added: August 17, 2017)| | X | |**RSA/AES Encryption for IIS**
    We recommend that users use CNG encryption provider.| | X | -|**Screen saver functionality in Themes**
    To be disabled in Themes (classified as **Removed** in this table). Screen saver functionality in Group Policies, Control Panel, and Sysprep is now deprecated but continues to be functional. Lockscreen features and policies are preferred. | X | X | +|**Screen saver functionality in Themes**
    Disabled in Themes (classified as **Removed** in this table). Screen saver functionality in Group Policies, Control Panel, and Sysprep continues to be functional. Lockscreen features and policies are preferred. | X | X | |**Sync your settings**
    Back-end changes: In future releases, the back-end storage for the current sync process will change. A single cloud storage system will be used for Enterprise State Roaming and all other users. The "Sync your settings" options and the Enterprise State Roaming feature will continue to work.
    (updated: August 17, 2017) | | X | |**Syskey.exe**
    Removing this nonsecure security feature. We recommend that users use BitLocker instead. For more information, see the following Knowledge Base article: [4025993 Syskey.exe utility is no longer supported in Windows 10 RS3 and Windows Server 2016 RS3](https://support.microsoft.com/help/4025993/syskey-exe-utility-is-no-longer-supported-in-windows-10-rs3-and-window)| X | | |**System Image Backup (SIB) Solution**
    We recommend that users use full-disk backup solutions from other vendors.| | X | diff --git a/windows/deployment/update/device-health-get-started.md b/windows/deployment/update/device-health-get-started.md index d713b0cbb7..e4a62129cf 100644 --- a/windows/deployment/update/device-health-get-started.md +++ b/windows/deployment/update/device-health-get-started.md @@ -1,11 +1,11 @@ --- title: Get started with Device Health -description: Configure Device Health in Azure Log Analytics to monitor health (such as crashes and sign-in failures) for your Windows 10 devices. +description: Configure Device Health in Azure Monitor to monitor health (such as crashes and sign-in failures) for your Windows 10 devices. keywords: Device Health, oms, operations management suite, prerequisites, requirements, monitoring, crash, drivers, azure ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.date: 09/11/2018 +ms.date: 10/29/2018 ms.pagetype: deploy author: jaimeo ms.author: jaimeo @@ -26,7 +26,7 @@ This topic explains the steps necessary to configure your environment for Window ## Add the Device Health solution to your Azure subscription -Device Health is offered as a *solution* which you link to a new or existing [Azure Log Analytics](https://azure.microsoft.com/services/log-analytics/) *workspace* within your Azure *subscription*. To configure this, follows these steps: +Device Health is offered as a *solution* which you link to a new or existing [Azure Monitor](https://azure.microsoft.com/services/monitor/) *workspace* within your Azure *subscription*. To configure this, follows these steps: 1. Sign in to the [Azure Portal](https://portal.azure.com) with your work or school account or a Microsoft account. If you don't already have an Azure subscription you can create one (including free trial options) through the portal. @@ -38,7 +38,7 @@ Device Health is offered as a *solution* which you link to a new or existing [Az ![Azure portal showing Device Health fly-in and Create button highlighted(images/CreateSolution-Part2-Create.png)](images/CreateSolution-Part2-Create.png) 3. Choose an existing workspace or create a new workspace to host the Device Health solution. - ![Azure portal showing Log Analytics workspace fly-in](images/CreateSolution-Part3-Workspace.png) + ![Azure portal showing Azure Monitor workspace fly-in](images/CreateSolution-Part3-Workspace.png) - If you are using other Windows Analytics solutions (Upgrade Readiness or Update Compliance) you should add Device Health to the same workspace. - If you are creating a new workspace, and your organization does not have policies governing naming conventions and structure, consider the following workspace settings to get started: - Choose a workspace name which reflects the scope of planned usage in your organization, for example *PC-Analytics*. @@ -48,7 +48,7 @@ Device Health is offered as a *solution* which you link to a new or existing [Az 4. Now that you have selected a workspace, you can go back to the Device Health blade and select **Create**. ![Azure portal showing workspace selected and with Create button highlighted](images/CreateSolution-Part4-WorkspaceSelected.png) 5. Watch for a Notification (in the Azure portal) that "Deployment 'Microsoft.DeviceHealth' to resource group 'YourResourceGroupName' was successful." and then select **Go to resource** This might take several minutes to appear. - ![Azure portal all services page with Log Analytics found and selected as favorite](images/CreateSolution-Part5-GoToResource.png) + ![Azure portal all services page with Azure Monitor found and selected as favorite](images/CreateSolution-Part5-GoToResource.png) - Suggestion: Choose the **Pin to Dashboard** option to make it easy to navigate to your newly added Device Health solution. - Suggestion: If a "resource unavailable" error occurs when navigating to the solution, try again after one hour. diff --git a/windows/deployment/update/images/servicing-cadence.png b/windows/deployment/update/images/servicing-cadence.png new file mode 100644 index 0000000000..cb79ff70be Binary files /dev/null and b/windows/deployment/update/images/servicing-cadence.png differ diff --git a/windows/deployment/update/images/servicing-previews.png b/windows/deployment/update/images/servicing-previews.png new file mode 100644 index 0000000000..0914b555ba Binary files /dev/null and b/windows/deployment/update/images/servicing-previews.png differ diff --git a/windows/deployment/update/servicing-stack-updates.md b/windows/deployment/update/servicing-stack-updates.md index 420b02b8a3..365142d77b 100644 --- a/windows/deployment/update/servicing-stack-updates.md +++ b/windows/deployment/update/servicing-stack-updates.md @@ -7,7 +7,7 @@ ms.sitesec: library author: Jaimeo ms.localizationpriority: medium ms.author: jaimeo -ms.date: 09/24/2018 +ms.date: 11/13/2018 --- # Servicing stack updates @@ -28,6 +28,9 @@ Having the latest servicing stack update is a prerequisite to reliably installin Currently, the servicing stack update releases are aligned with the monthly quality update release date, though sometimes they are released on a separate date if required. +>[!NOTE] +>You can find a list of servicing stack updates at [Latest servicing stack updates](https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001). + ## What's the difference between a servicing stack update and a cumulative update? Both Windows 10 and Windows Server use the cumulative update mechanism, in which many fixes are packaged into a single update. Each cumulative update includes the changes and fixes from all previous updates. diff --git a/windows/deployment/update/update-compliance-monitor.md b/windows/deployment/update/update-compliance-monitor.md index 5371ba5470..25fac89570 100644 --- a/windows/deployment/update/update-compliance-monitor.md +++ b/windows/deployment/update/update-compliance-monitor.md @@ -38,7 +38,7 @@ The Update Compliance architecture and data flow is summarized by the following **(1)** User computers send diagnostic data to a secure Microsoft data center using the Microsoft Data Management Service.
    **(2)** Diagnostic data is analyzed by the Update Compliance Data Service.
    -**(3)** Diagnostic data is pushed from the Update Compliance Data Service to your Azure Log Analytics workspace.
    +**(3)** Diagnostic data is pushed from the Update Compliance Data Service to your Azure Monitor workspace.
    **(4)** Diagnostic data is available in the Update Compliance solution.
    diff --git a/windows/deployment/update/waas-delivery-optimization-reference.txt b/windows/deployment/update/waas-delivery-optimization-reference.txt new file mode 100644 index 0000000000..993295784a --- /dev/null +++ b/windows/deployment/update/waas-delivery-optimization-reference.txt @@ -0,0 +1,23 @@ +--- +title: Delivery Optimization reference +description: Delivery Optimization is a new peer-to-peer distribution method in Windows 10 +keywords: oms, operations management suite, wdav, updates, downloads, log analytics +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: JaimeO +ms.localizationpriority: medium +ms.author: jaimeo +ms.date: 10/23/2018 +--- + +# Delivery Optimization reference + +**Applies to** + +- Windows 10 + +> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) + +There are a great many details you can set in Delivery Optimization to customize it to do just what you need it to. This topic summarizes them for your reference. + diff --git a/windows/deployment/update/waas-delivery-optimization-setup.md b/windows/deployment/update/waas-delivery-optimization-setup.md new file mode 100644 index 0000000000..edb097e05a --- /dev/null +++ b/windows/deployment/update/waas-delivery-optimization-setup.md @@ -0,0 +1,42 @@ +--- +title: Set up Delivery Optimization +description: Delivery Optimization is a new peer-to-peer distribution method in Windows 10 +keywords: oms, operations management suite, wdav, updates, downloads, log analytics +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: JaimeO +ms.localizationpriority: medium +ms.author: jaimeo +ms.date: 10/23/2018 +--- + +# Set up Delivery Optimization for Windows 10 updates + +**Applies to** + +- Windows 10 + +> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) + +## Plan to use Delivery Optimization + +general guidelines + “recommended policies” chart + + +## Implement Delivery Optimization +[procedural-type material; go here, click this] + +### Peer[?] topology (steps for setting up Group download mode) + + +### Hub and spoke topology (steps for setting up peer selection) + + +## Monitor Delivery Optimization +how to tell if it’s working? What values are reasonable; which are not? If not, which way to adjust and how? + +### Monitor w/ PS + +### Monitor w/ Update Compliance + diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md index f82f1afa73..c43a9b860b 100644 --- a/windows/deployment/update/waas-delivery-optimization.md +++ b/windows/deployment/update/waas-delivery-optimization.md @@ -1,5 +1,5 @@ --- -title: Configure Delivery Optimization for Windows 10 updates (Windows 10) +title: Delivery Optimization for Windows 10 updates (Windows 10) description: Delivery Optimization is a new peer-to-peer distribution method in Windows 10 keywords: oms, operations management suite, wdav, updates, downloads, log analytics ms.prod: w10 @@ -8,10 +8,10 @@ ms.sitesec: library author: JaimeO ms.localizationpriority: medium ms.author: jaimeo -ms.date: 04/30/2018 +ms.date: 10/23/2018 --- -# Configure Delivery Optimization for Windows 10 updates +# Delivery Optimization for Windows 10 updates **Applies to** @@ -20,15 +20,14 @@ ms.date: 04/30/2018 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) -Windows updates, upgrades, and applications can contain packages with very large files. Downloading and distributing updates can consume quite a bit of network resources on the devices receiving them. You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages among multiple devices in your deployment. Delivery Optimization can accomplish this because it is a self-organizing distributed cache that allows clients to download those packages from alternate sources (such as other peers on the network) in addition to the traditional Internet-based Windows Update servers. You can use Delivery Optimization in conjunction with stand-alone Windows Update, Windows Server Update Services (WSUS), Windows Update for Business, or System Center Configuration Manager when installation of Express Updates is enabled. +Delivery Optimization reduces the bandwidth needed to download Windows updates and applications by sharing the work of downloading these packages among multiple devices in your deployment. It does this by using a self-organizing distributed cache that allows clients to download those packages from alternate sources (such as other peers on the network) in addition to the traditional Internet-based Windows Update servers. -Delivery Optimization is a cloud-managed solution. Access to the Delivery Optimization cloud services is a requirement. This means that in order to use the peer-to-peer functionality of Delivery Optimization, devices must have access to the internet. +You can use Delivery Optimization in conjunction with standalone Windows Update, Windows Server Update Services (WSUS), Windows Update for Business, or System Center Configuration Manager (when installation of Express Updates is enabled). +To take advantage of Delivery Optimization, you'll need the following: ->[!NOTE] ->WSUS can also use [BranchCache](waas-branchcache.md) for content sharing and caching. If Delivery Optimization is enabled on devices that use BranchCache, Delivery Optimization will be used instead. - -The following table lists the minimum Windows 10 version that supports Delivery Optimization: +- The devices being updated must have access to the internet. +- The devices must be running at least these minimum versions: | Device type | Minimum Windows version | |------------------|---------------| @@ -37,10 +36,11 @@ The following table lists the minimum Windows 10 version that supports Delivery | IoT devices | 1803 | | HoloLens devices | 1803 | + In Windows 10 Enterprise and Education editions, Delivery Optimization allows peer-to-peer sharing on the organization's own network only, but you can configure it differently in Group Policy and mobile device management (MDM) solutions such as Microsoft Intune. These options are detailed in [Download mode](#download-mode). -By default in Windows 10 Enterprise and Education editions, Delivery Optimization allows peer-to-peer sharing on the organization's own network only, but you can configure it differently in Group Policy and mobile device management (MDM) solutions such as Microsoft Intune. +>[!NOTE] +>WSUS can also use [BranchCache](waas-branchcache.md) for content sharing and caching. If Delivery Optimization is enabled on devices that use BranchCache, Delivery Optimization will be used instead. -For more details, see [Download mode](#download-mode). ## Delivery Optimization options diff --git a/windows/deployment/update/waas-servicing-differences.md b/windows/deployment/update/waas-servicing-differences.md new file mode 100644 index 0000000000..91ff222523 --- /dev/null +++ b/windows/deployment/update/waas-servicing-differences.md @@ -0,0 +1,106 @@ +--- +title: Servicing differences between Windows 10 and older operating systems +description: Learn the differences between servicing Windows 10 and servicing older operating systems. +keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: KarenSimWindows +ms.localizationpriority: medium +ms.author: karensim +ms.date: 11/09/2018 +--- +# Understanding the differences between servicing Windows 10-era and legacy Windows operating systems + +>Applies to: Windows 10 + +Today, many enterprise customers have a mix of modern and legacy client and server operating systems. Managing the servicing and updating differences between those legacy operating systems and Windows 10 versions adds a level of complexity that is not well understood. This can be confusing. With the end of support for legacy [Windows 7 SP1](https://support.microsoft.com/help/4057281/windows-7-support-will-end-on-january-14-2020) and Windows Server 2008 R2 variants on January 14, 2020, System Administrators have a critical need critical to understand how best to leverage a modern workplace to support system updates. + +The following provides an initial overview of how updating client and server differs between the Windows 10-era operating systems (such as Windows 10 version 1709, Windows Server 2016) and legacy operating systems (such as Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2). + +>[!NOTE] +> A note on naming convention in this article: For brevity, "Windows 10" refers to all operating systems across client, server and IoT released since July 2015, while "legacy" refers to all operating systems prior to that period for client and server, including Windows 7, Window 8.1, Windows Server 2008 R2, Windows Server 2012 R2, etc. + +## Infinite fragmentation +Prior to Windows 10, all updates to operating system (OS) components were published individually. On "Update Tuesday," customers would pick and choose individual updates they wanted to apply. Most chose to update security fixes, while far fewer selected non-security fixes, updated drivers, or installed .NET Framework updates. + +As a result, each environment with the global Windows ecosystem that had only a subset of security and non-security fixes installed had a different set of binaries and behaviors than those that consistently installed every available update as tested by Microsoft. + +This resulted in a fragmented ecosystem that created diverse challenges in predictively testing interoperability, resulting in high update failure rates - which were subsequently mitigated by customers removing individual updates that were causing issues. Each customer that selectively removed individual updates amplified this fragmentation by creating more diverse environment permutations across the ecosystem. As an IT Administrator once quipped, "If you’ve seen one Windows 7 PC, you have seen one Windows 7 PC," suggesting no consistency or predictability across more than 250M commercial devices at the time. + +## Windows 10 – Next generation +Windows 10 provided an opportunity to end the era of infinite fragmentation. With Windows 10 and the Windows as a service model, updates came rolled together in the "latest cumulative update" (LCU) packages for both client and server. Every new update published includes all changes from previous updates, as well as new fixes. Since Windows client and server share the same code base, these LCUs This helps simplify servicing. Devices with the original Release to Market (RTM) version of a feature release installed could get up to date by installing the most recent LCU. + +Windows publishes the new LCU packages for each Windows 10 version (1607, 1709, etc.) on the second Tuesday of each month. This package is classified as a required security update and contains contents from the previous LCU as well as new security, non-security and Internet Explorer 11 (IE11) fixes. The security classification, by definition, requires a reboot of the device to complete installation of the update. + +![Servicing cadence](images/servicing-cadence.png) + +Another benefit of the LCU model is fewer steps. Devices that have the original Release to Market (RTM) version of a release can install the most recent LCU to get up to date in one step, rather than having to install multiple updates with reboots after each. + +This cumulative update model for Windows 10 has helped provide the Windows ecosystem with consistent update experiences that can be predicted by baseline testing before release. Even with highly complex updates with hundreds of fixes, the number of incidents with monthly security updates for Windows 10 have fallen month over month since the initial release of Windows 10. + +### Points to consider + +- Windows 10 does not have the concept of a Security-Only or Monthly Rollup for updates. All updates are an LCU package, which includes the last release plus anything new. +- Windows 10 no longer has the concept of a "hotfix" since all individual updates must be rolled into the cumulative packages. (Note: Any private fix is offered for customer validation only, and then rolled into an LCU.) +- [Updates for the .NET Framework](https://blogs.msdn.microsoft.com/dotnet/2016/10/11/net-framework-monthly-rollups-explained/) are NOT included in the Windows 10 LCU. They are separate packages with different behaviors depending on the version of .NET Framework being updated, and on which OS. As of October 2018, .NET Framework updates for Windows 10 will be separate and have their own cumulative update model. +- For Windows 10, available update types vary by publishing channel: + - For customers using Windows Server Update Services (WSUS) and for the Update Catalog, several different updates types for Windows 10 are rolled together for the core OS in a single LCU package, with exception of Servicing Stack Updates. + - Servicing Stack Updates (SSU) are available for download from the Update Catalog and can be imported through WSUS, but will not be automatically synced. (See this [example](https://support.microsoft.com/help/4132650/servicing-stack-update-for-windows-10-version-1709-may-21-2018) for Windows 10, version 1709). For more information on Servicing Stack Updates, please see this [blog](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-7-servicing-stack-updates-managing-change-and/ba-p/260434). + - For customers connecting to Windows Update, the new cloud update architecture uses a database of updates which break out all the different update types, including Servicing Stack Updates (SSU) and Dynamic Updates (DU). The update scanning in the Windows 10 servicing stack on the client automatically takes only the updates that are needed by the device to be completely up to date. +- Windows 7 and other legacy operating systems have cumulative updates that operate differently than in Windows 10 (see next section). + +## Windows 7 and legacy OS versions +While Windows 10 updates could have been controlled as cumulative from "Day 1," the legacy OS ecosystem for both client and server was highly fragmented. Recognizing the challenges of update quality in aa fragmented environment, we moved Windows 7 to a cumulative update model in October 2016. + +Customers saw the LCU model used for Windows 10 as having packages that were too large and represented too much of a change for legacy operating systems, so a different model was implemented. Windows instead offered two cumulative package types for all legacy operating systems: Monthly Rollups and Security-only updates. + +The Monthly Rollup includes new non-security, security updates, Internet Explorer (IE) updates, and all updates from the previous month, similar to the Windows 10 model. The Security-only package includes new security updates and all security updates from the previous month. Additionally, a cumulative package is offered for IE, which can be tested and installed separately, reducing the total update package size. The IE cumulative update includes both security and non-security fixes following the same model as Windows 10. + +Moving to the cumulative model for legacy OS versions continues to improve predictability of update quality. The Windows legacy environments have fully updated machines, which means that the baseline against which all legacy OS version updates are tested include all of the updates (security and non-security) prior to and after October 2016. Many customer environments do not have all updates prior to this change installed, which leaves some continued fragmentation in the ecosystem. This remaining fragmentation results in issues like those seen when the September 2016 Servicing Stack Update (SSU) was needed for smooth installation of the August 2018 security update. These environments did not have the SSU applied previously. + +### Points to consider +- Windows 7 and Windows 8 legacy operating system updates [moved from individual to cumulative in October 2016](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/More-on-Windows-7-and-Windows-8-1-servicing-changes/ba-p/166783). Devices with updates missing prior to that point are still missing those updates, as they were not included in the subsequent cumulative packages. +- "Hotfixes" are no longer published for legacy OS versions. All updates are rolled into the appropriate package depending on their classification as either non-security, security, or Internet Explorer updates. (Note: any private fix is offered for customer validation only. Once validated they are then rolled into a Monthly Rollup or IE cumulative update, as appropriate.) +- Both Monthly Rollups and Security-only updates released on Update Tuesday for legacy OS versions are identified as "security, critical" updates, because both have the full set of security updates in them. The Monthly Rollup has additional non-security updates that are not included in the Security Only update. The "security" classification requires the device be rebooted so the update can be fully installed. +- Despite the cumulative nature of both Monthly Rollups and Security-only updates, switching between these update types is not advised. Small differences in the baselines of these packages may result in installation errors and conflicts. Choosing one and staying on that update type – Monthly Rollup or Security-only – is recommended. +- In [February 2017](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/Simplified-servicing-for-Windows-7-and-Windows-8-1-the-latest/ba-p/166798), Windows pulled IE updates out of the legacy OS versions Security-only updates, while leaving them in the Monthly Rollup updates. This was done specifically to reduce package size based on customer feedback. +- The IE cumulative update includes both security and non-security updates and is also needed for to help secure the entire environment. This update can be installed separately or as part of the Monthly Rollup. +- [Updates for the .NET Framework](https://blogs.msdn.microsoft.com/dotnet/2016/10/11/net-framework-monthly-rollups-explained/) are NOT included in legacy Monthly Rollup or Security Only packages. They are separate packages with different behaviors depending on the version of the .NET Framework, and which legacy OS, being updated. +- For [Windows Server 2008 SP2](https://cloudblogs.microsoft.com/windowsserver/2018/06/12/windows-server-2008-sp2-servicing-changes/), cumulative updates began in October 2018, and follow the same model as Windows 7. Updates for IE9 are included in those packages, as the last supported version of Internet Explorer for that Legacy OS version. + +## Public preview releases +Lastly, the cumulative update model directly impacts the public Preview releases offered in the 3rd and/or 4th weeks of the month. Update Tuesday, also referred to as the "B" week release occurs on the second Tuesday of the month. It is always a required security update across all operating systems. In addition to this monthly release, Windows also releases non-security update "previews" targeting the 3rd (C) and the 4th (D) weeks of the month. These preview releases include that month’s B-release plus a set of non-security updates for testing and validation as a cumulative package. We recommend IT Administrators uses the C/D previews to test the update in their environments. Any issues identified with the updates in the C/D releases are identified and then fixed or removed, prior to being rolled up in to the next month’s B release package together with new security updates. + +### Examples +Windows 10 version 1709: + +- (9B) September 11, 2018 Update Tuesday / B release - includes security, non-security and IE update. This update is categorized as "Required, Security" it requires a system reboot. +- (9C) September 26, 2018 Preview C release - includes everything from 9B PLUS some non-security updates for testing/validation. This update is qualified as not required, non-security. No system reboot is required. +- (10B) October 9, 2018 Update Tuesday / B release includes all fixes included in 9B, all fixes in 9C and introduces new security fixes and IE updates. This update is qualified as "Required, Security" and requires a system reboot. + +All of these updates are cumulative and build on each other for Windows 10. This is in contrast to legacy OS versions, where the 9C release becomes part of the "Monthly Rollup," but not the "Security Only" update. In other words, a Window 7 SP1 9C update is part of the cumulative "Monthly Rollup" but not included in the "Security Only" update because the fixes are qualified as "non-security". This is an important variation to note on the two models. + +![Servicing preview releases](images/servicing-previews.png) + +### Previews vs. on-demand releases +In 2018, we experienced incidents that required urgent remediation that didn’t map to the monthly update release cadence. These incidents were situations that required an immediate fix to an Update Tuesday release. While Windows engineering worked aggressively to respond within a week of the B-release, these "on-demand" releases created confusion with the C Preview releases. + +#### Points to consider: +- When Windows identifies an issue with a Update Tuesday release, engineering teams work to remediate or fix the issue as quickly as possible. The outcome is often a new update which may be released at any time, including during the 3rd or 4th week of the month. Such updates are independent of the regularly scheduled "C" and "D" update previews. These updates are created on-demand to remediate a customer impacting issue. In most cases they are qualified as a "non-security" update, and do not require a system reboot. +- With the new Windows Update (WU) architecture, updates can be targeted to affected devices. This targeting is not available through the Update Catalog or WSUS channels, however. +- On-demand releases address a specific issue with an Update Tuesday release and are often qualified as "non-security" for one of two reasons. First, the fix may not be an additional security fix, but a non-security change to the update. Second, the "non-security" designation allows individuals or companies to choose when and how to reboot the devices, rather than forcing a system reboot on all Windows devices receiving the update globally. This trade-off is rarely a difficult choice as it has the potential to impact customer experience across client and server, across consumer and commercial customers for more than one billion devices. +- Because the cumulative model is used across Window 10 and legacy Windows OS versions, despite variations between these OS versions, an out of band release will include all of the changes from the Update Tuesday release plus the fix that addresses the issue. And since Windows no longer releases hotfixes, everything is cumulative in some way. + +In closing, I hope this overview of the update model across current and legacy Windows OS versions highlights the benefits of the Windows 10 cumulative update model to help defragment the Windows ecosystem environments, simplify servicing and help make systems more secure. + + +## Resources +- [Simplifying updates for Windows 7 and 8.1](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/Simplifying-updates-for-Windows-7-and-8-1/ba-p/166530) +- [Further simplifying servicing models for Windows 7 and Windows 8.1](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/Further-simplifying-servicing-models-for-Windows-7-and-Windows-8/ba-p/166772) +- [More on Windows 7 and Windows 8.1 servicing changes](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/More-on-Windows-7-and-Windows-8-1-servicing-changes/ba-p/166783) +- [.NET Framework Monthly Rollups Explained](https://blogs.msdn.microsoft.com/dotnet/2016/10/11/net-framework-monthly-rollups-explained/) +- [Simplified servicing for Windows 7 and Windows 8.1: the latest improvements](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/Simplified-servicing-for-Windows-7-and-Windows-8-1-the-latest/ba-p/166798) +- [Windows Server 2008 SP2 servicing changes](https://cloudblogs.microsoft.com/windowsserver/2018/06/12/windows-server-2008-sp2-servicing-changes/) +- [Windows 10 update servicing cadence](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-update-servicing-cadence/ba-p/222376) +- [Windows 7 servicing stack updates: managing change and appreciating cumulative updates](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-7-servicing-stack-updates-managing-change-and/ba-p/260434) \ No newline at end of file diff --git a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md index 668d342d72..6041f964a6 100644 --- a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md +++ b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md @@ -4,10 +4,10 @@ description: A strong Windows 10 deployment strategy begins with establishing a ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: DaniHalfin +author: Jaimeo ms.localizationpriority: medium -ms.author: daniha -ms.date: 07/27/2017 +ms.author: jaimeo +ms.date: 11/02/2018 --- # Prepare servicing strategy for Windows 10 updates @@ -20,17 +20,17 @@ ms.date: 07/27/2017 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) -In the past, traditional Windows deployments tended to be large, lengthy, and expensive. Windows 10 offers a new approach to deploying both quality and feature updates, making the process much simpler and therefore the planning much more straightforward. With Windows as a service, the methodology around updating Windows has completely changed, moving away from major upgrades every few years to iterative updates twice per year. Each iteration contains a smaller subset of changes so that they won’t seem like substantial differences, like they do today. Figure 1 shows the level of effort needed for traditional Windows deployments versus servicing Windows 10 and how it is now spread evenly over time versus spiking every few years. +In the past, traditional Windows deployments tended to be large, lengthy, and expensive. Windows 10 offers a new approach to deploying both quality and feature updates, making the process much simpler and therefore the planning much more straightforward. With Windows as a service, the methodology around updating Windows has completely changed, moving away from major upgrades every few years to iterative updates twice per year. Each iteration contains a smaller subset of changes so that they won’t seem like substantial differences, like they do today. This image illustrates the level of effort needed for traditional Windows deployments versus servicing Windows 10 and how it is now spread evenly over time versus spiking every few years. -**Figure 1** ![Compare traditional servicing to Windows 10](images/waas-strategy-fig1a.png) Windows 10 spreads the traditional deployment effort of a Windows upgrade, which typically occurred every few years, over smaller, continuous updates. With this change, you must approach the ongoing deployment and servicing of Windows differently. A strong Windows 10 deployment strategy begins with establishing a simple, repeatable process for testing and deploying each feature update. Here’s an example of what this process might look like: -- **Configure test devices.** Configure testing PCs in the Windows Insider Program so that Insiders can test feature updates before they’re available to the Semi-annual Channel. Typically, this would be a small number of test machines that IT staff members use to evaluate prereleased builds of Windows. Microsoft provides current development builds to Windows Insider members approximately every week so that interested users can see the functionality Microsoft is adding. See the section Windows Insider for details on how to enroll in the Windows Insider Program on a Windows 10 device. -- **Identify excluded PCs.** For some organizations, special-purpose devices such as those used to control factory or medical equipment or run ATMs require a stricter, less frequent feature update cycle than the Semi-annual Channel can offer. For those machines, you must install Windows 10 Enterprise LTSB to avoid feature updates for up to 10 years. Identify these PCs, and separate them from the phased deployment and servicing cycles to help remove confusion for your administrators and ensure that devices are handled correctly. +- **Configure test devices.** Configure test devices in the Windows Insider Program so that Insiders can test feature updates before they’re available to the Semi-Annual Channel. Typically, this would be a small number of test devices that IT staff members use to evaluate pre-releas builds of Windows. Microsoft provides current development builds to Windows Insider members approximately every week so that interested users can see the functionality Microsoft is adding. See the section Windows Insider for details on how to enroll in the Windows Insider Program on a Windows 10 device. +- **Identify excluded devices.** For some organizations, special-purpose devices such as those used to control factory or medical equipment or run ATMs require a stricter, less frequent feature update cycle than the Semi-annual Channel can offer. For those machines, you must install Windows 10 Enterprise LTSB to avoid feature updates for up to 10 years. Identify these devices, and separate them from the phased deployment and servicing cycles to help remove confusion for your administrators and ensure that devices are handled correctly. - **Recruit volunteers.** The purpose of testing a deployment is to receive feedback. One effective way to recruit pilot users is to request volunteers. When doing so, clearly state that you’re looking for feedback rather than people to just “try it out” and that there could be occasional issues involved with accepting feature updates right away. With Windows as a service, the expectation is that there should be few issues, but if an issue does arise, you want testers to let you know as soon as possible. When considering whom to recruit for pilot groups, be sure to include members who provide the broadest set of applications and devices to validate the largest number of apps and devices possible. +- **Update Group Policy.** Each feature update includes new group policies to manage new features. If you use Group Policy to manage devices, the Group Policy Admin for the Active Directory domain will need to download a .admx package and copy it to their [Central Store](https://support.microsoft.com/help/929841/how-to-create-the-central-store-for-group-policy-administrative-templa) (or to the [PolicyDefinitions](https://msdn.microsoft.com/library/bb530196.aspx) directory in the SYSVOL of a domain controller if not using a Central Store). Always manage new group polices from the version of Windows 10 they shipped with by using the Remote Server Administration Tools. The ADMX download package is created at the end of each development cycle and then posted for download. To find the ADMX download package for a given Windows build, search for “ADMX download for Windows build xxxx”. For details about Group Policy management, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) - **Choose a servicing tool.** Decide which product you’ll use to manage the Windows updates in your environment. If you’re currently using Windows Server Update Services (WSUS) or System Center Configuration Manager to manage your Windows updates, you can continue using those products to manage Windows 10 updates. Alternatively, you can use Windows Update for Business. In addition to which product you’ll use, consider how you’ll deliver the updates. With Windows 10, multiple peer-to-peer options are available to make update distribution faster. For a comparison of tools, see [Servicing tools](waas-overview.md#servicing-tools). - **Prioritize applications.** First, create an application portfolio. This list should include everything installed in your organization and any webpages your organization hosts. Next, prioritize this list to identify those that are the most business critical. Because the expectation is that application compatibility with Windows 10 will be high, only the most business critical applications should be tested before the pilot phase; everything else can be tested afterwards. For more information about identifying compatibility issues withe applications, see [Manage Windows upgrades with Upgrade Analytics](../upgrade/manage-windows-upgrades-with-upgrade-readiness.md). diff --git a/windows/deployment/update/waas-wufb-group-policy.md b/windows/deployment/update/waas-wufb-group-policy.md index 643e549073..49a13d74fc 100644 --- a/windows/deployment/update/waas-wufb-group-policy.md +++ b/windows/deployment/update/waas-wufb-group-policy.md @@ -28,9 +28,16 @@ Using Group Policy to manage Windows Update for Business is simple and familiar: In Windows 10 version 1511, only Current Branch for Business (CBB) upgrades could be delayed, restricting the Current Branch (CB) builds to a single deployment ring. Windows 10 version 1607, however, has a new Group Policy setting that allows you to delay feature updates for both CB and CBB, broadening the use of the CB servicing branch. ->[!NOTE] +>[!NOTES] >The terms *feature updates* and *quality updates* in Windows 10, version 1607, correspond to the terms *upgrades* and *updates* in version 1511. +>To follow the instructions in this article, you will need to download and install the relevant ADMX templates for your Windows 10 version. +>See the following articles for instructions on the ADMX templates in your environment. + +> - [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759) +> - [Step-By-Step: Managing Windows 10 with Administrative templates](https://blogs.technet.microsoft.com/canitpro/2015/10/20/step-by-step-managing-windows-10-with-administrative-templates/) + + To use Group Policy to manage quality and feature updates in your environment, you must first create Active Directory security groups that align with your constructed deployment rings. Most customers have many deployment rings already in place in their environment, and these rings likely align with existing phased rollouts of current patches and operating system upgrades. ## Configure Windows Update for Business in Windows 10 version 1511 diff --git a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md index 325a6a229a..bf0ebdf02d 100644 --- a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md +++ b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: deploy author: jaimeo ms.author: jaimeo -ms.date: 08/21/2018 +ms.date: 10/29/2018 ms.localizationpriority: medium --- @@ -33,10 +33,14 @@ If you've followed the steps in the [Enrolling devices in Windows Analytics](win [Upgrade Readiness shows many "Computers with outdated KB"](#upgrade-readiness-shows-many-computers-with-outdated-kb) +[Upgrade Readiness shows many "Computers with incomplete data"](#upgrade-readiness-shows-many-computers-with-incomplete-data) + [Upgrade Readiness doesn't show app inventory data on some devices](#upgrade-readiness-doesnt-show-app-inventory-data-on-some-devices) [Upgrade Readiness doesn't show IE site discovery data from some devices](#upgrade-readiness-doesnt-show-ie-site-discovery-data-from-some-devices) +[Device names not appearing for Windows 10 devices](#device-names-not-appearing-for-windows-10-devices) + [Disable Upgrade Readiness](#disable-upgrade-readiness) [Exporting large data sets](#exporting-large-data-sets) @@ -101,7 +105,7 @@ If you know that devices are experiencing stop error crashes that do not seem to [![Event viewer detail showing Event 1001 details](images/event_1001.png)](images/event_1001.png) - You can use the following Windows PowerShell snippet to summarize recent occurences of Event 1001. Most events should have a value for BucketID (a few intermittent blank values are OK, however). + You can use the following Windows PowerShell snippet to summarize recent occurrences of Event 1001. Most events should have a value for BucketID (a few intermittent blank values are OK, however). ```powershell $limitToMostRecentNEvents = 20 @@ -191,7 +195,7 @@ Finally, Upgrade Readiness only collects IE site discovery data on devices that >[!NOTE] > IE site discovery is disabled on devices running Windows 7 and Windows 8.1 that are in Switzerland and EU countries. -### Device Names don't show up on Windows 10 devices +### Device names not appearing for Windows 10 devices Starting with Windows 10, version 1803, the device name is no longer collected by default and requires a separate opt-in. For more information, see [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). ### Disable Upgrade Readiness @@ -256,4 +260,4 @@ Currently, you can choose the criteria you wish to use: - To use the Upgrade Readiness criteria, export the list of ready-to-upgrade devices from the corresponding Upgrade Readiness report, and then build the SCCM collection from that spreadsheet. ### How does Upgrade Readiness collect the inventory of devices and applications? -For details about this process and some tips, see [How does Upgrade Readiness in WA collects application inventory for your OMS workspace?](https://techcommunity.microsoft.com/t5/Windows-Analytics-Blog/How-does-Upgrade-Readiness-in-WA-collects-application-inventory/ba-p/213586) on the Windows Analytics blog. \ No newline at end of file +For details about this process and some tips, see [How does Upgrade Readiness in WA collects application inventory for your OMS workspace?](https://techcommunity.microsoft.com/t5/Windows-Analytics-Blog/How-does-Upgrade-Readiness-in-WA-collects-application-inventory/ba-p/213586) on the Windows Analytics blog. diff --git a/windows/deployment/update/windows-analytics-get-started.md b/windows/deployment/update/windows-analytics-get-started.md index 30f586c3f1..1ceeae0987 100644 --- a/windows/deployment/update/windows-analytics-get-started.md +++ b/windows/deployment/update/windows-analytics-get-started.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: deploy author: jaimeo ms.author: jaimeo -ms.date: 10/08/2018 +ms.date: 11/01/2018 ms.localizationpriority: medium --- @@ -45,21 +45,27 @@ To enable data sharing, configure your proxy server to whitelist the following e | **Endpoint** | **Function** | |---------------------------------------------------------|-----------| -| `https://v10.events.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for use with Windows 10, version 1803| +|`https://ceuswatcab01.blob.core.windows.net` | Windows Error Reporting (WER); required for Device Health and Update Compliance AV reports in Windows 10, version 1809 or later. Not used by Upgrade Readiness. | +| `https://ceuswatcab02.blob.core.windows.net` | Windows Error Reporting (WER); required for Device Health and Update Compliance AV reports in Windows 10, version 1809 or later. Not used by Upgrade Readiness. | +| `https://eaus2watcab01.blob.core.windows.net` | Windows Error Reporting (WER); required for Device Health and Update Compliance AV reports in Windows 10, version 1809 or later. Not used by Upgrade Readiness. | +| `https://eaus2watcab02.blob.core.windows.net` | Windows Error Reporting (WER); required for Device Health and Update Compliance AV reports in Windows 10, version 1809 or later. Not used by Upgrade Readiness. | +| `https://weus2watcab01.blob.core.windows.net` | Windows Error Reporting (WER); required for Device Health and Update Compliance AV reports in Windows 10, version 1809 or later. Not used by Upgrade Readiness. | +| `https://weus2watcab02.blob.core.windows.net` | Windows Error Reporting (WER); required for Device Health and Update Compliance AV reports in Windows 10, version 1809 or later. Not used by Upgrade Readiness. | +| `https://v10c.events.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for use with devices runningrunning Windows 10, version 1703 or later **that also have the 2018-09 Cumulative Update (KB4458469, KB4457136, KB4457141) or later installed** | +| `https://v10.events.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for use with Windows 10, version 1803 *without* the 2018-09 Cumulative Update installed | | `https://v10.vortex-win.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1709 or earlier | | `https://vortex-win.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for operating systems older than Windows 10 | -| `https://v10c.events.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for use with Windows versions that have KB4458469 installed | -| `https://settings-win.data.microsoft.com` | Enables the compatibility update to send data to Microsoft. +| `https://settings-win.data.microsoft.com` | Enables the compatibility update to send data to Microsoft. | | `http://adl.windows.com` | Allows the compatibility update to receive the latest compatibility data from Microsoft. | | `https://watson.telemetry.microsoft.com` | Windows Error Reporting (WER); required for Device Health and Update Compliance AV reports. Not used by Upgrade Readiness. | | `https://oca.telemetry.microsoft.com` | Online Crash Analysis; required for Device Health and Update Compliance AV reports. Not used by Upgrade Readiness. | | `https://login.live.com` | This endpoint is required by Device Health to ensure data integrity and provides a more reliable device identity for all of the Windows Analytics solutions on Windows 10. If you want to disable end-user managed service account (MSA) access, you should apply the appropriate [policy](https://docs.microsoft.com/windows/security/identity-protection/access-control/microsoft-accounts#block-all-consumer-microsoft-account-user-authentication) instead of blocking this endpoint. | -| `https://www.msftncsi.com` | Windows Error Reporting (WER); required for Device Health to check connectivity. | -| `https://www.msftconnecttest.com` | Windows Error Reporting (WER); required for Device Health to check connectivity. | +| `https://www.msftncsi.com` | Windows Error Reporting (WER); required for Device Health to check connectivity | +| `https://www.msftconnecttest.com` | Windows Error Reporting (WER); required for Device Health to check connectivity | >[!NOTE] ->Proxy authentation and SSL inspections are frequent challenges for enterprises. See the following sections for configuration options. +>Proxy authentication and SSL inspections are frequent challenges for enterprises. See the following sections for configuration options. ### Configuring endpoint access with SSL inspection To ensure privacy and data integrity Windows checks for a Microsoft SSL certificate when communicating with the diagnostic data endpoints. Accordingly SSL interception and inspection is not possible. To use Windows Analytics services you should exclude the above endpoints from SSL inspection. @@ -77,7 +83,7 @@ The compatibility update scans your devices and enables application usage tracki | **Operating System** | **Updates** | |----------------------|-----------------------------------------------------------------------------| -| Windows 10 | Windows 10 includes the compatibility update, so you will automatically have the latest compatibility update so long as you continue to keep your Windows 10 devices up-to-date with cummulative updates. | +| Windows 10 | Windows 10 includes the compatibility update, so you will automatically have the latest compatibility update so long as you continue to keep your Windows 10 devices up-to-date with cumulative updates. | | Windows 8.1 | [KB 2976978](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2976978)
    Performs diagnostics on the Windows 8.1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues might be encountered when the latest Windows operating system is installed.
    For more information about this update, see | | Windows 7 SP1 | [KB2952664](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2952664)
    Performs diagnostics on the Windows 7 SP1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues might be encountered when the latest Windows operating system is installed.
    For more information about this update, see | diff --git a/windows/deployment/upgrade/upgrade-readiness-deploy-windows.md b/windows/deployment/upgrade/upgrade-readiness-deploy-windows.md index b5f0b2b68b..3aabb7b13b 100644 --- a/windows/deployment/upgrade/upgrade-readiness-deploy-windows.md +++ b/windows/deployment/upgrade/upgrade-readiness-deploy-windows.md @@ -1,8 +1,8 @@ --- -title: Upgrade Readiness - Get a list of computers that are upgrade-ready (Windows 10) +title: Upgrade Readiness - Get a list of computers that are upgrade ready (Windows 10) description: Describes how to get a list of computers that are ready to be upgraded in Upgrade Readiness. ms.prod: w10 -author: greg-lindsay +author: jaimeo ms.date: 04/19/2017 --- diff --git a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md index 5be86f56ab..e295b3fa32 100644 --- a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md +++ b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy author: jaimeo -ms.date: 05/31/2018 +ms.date: 10/29/2018 --- # Upgrade Readiness deployment script @@ -93,7 +93,7 @@ The deployment script displays the following exit codes to let you know if it wa     - + @@ -286,17 +286,6 @@ The deployment script displays the following exit codes to let you know if it wa - - - - - - - - diff --git a/windows/deployment/upgrade/upgrade-readiness-monitor-deployment.md b/windows/deployment/upgrade/upgrade-readiness-monitor-deployment.md new file mode 100644 index 0000000000..be3d2aee32 --- /dev/null +++ b/windows/deployment/upgrade/upgrade-readiness-monitor-deployment.md @@ -0,0 +1,48 @@ +--- +title: Monitor deployment with Upgrade Readiness +description: Describes how to use Upgrade Readiness to monitor the deployment after Windows upgrades. +keywords: windows analytics, oms, operations management suite, prerequisites, requirements, upgrades, log analytics, +ms.localizationpriority: medium +ms.prod: w10 +author: jaimeo +ms.author: jaimeo +ms.date: 11/07/2018 +--- + +# Upgrade Readiness - Step 4: Monitor + +Now that you have started deploying an update with Upgrade Readiness, you can use it to monitor important elements. + +![Upgrade Readiness dialog showing "STEP 4: Monitor" and blades for "Update progress," "Driver issues," and "User feedback"](../images/UR-monitor-main.png) + + +## Update progress + +The **Update progress** blade allows you to monitor the progress and status of your deployment. Any device that has attepted to upgrade in the last 30 days displays the **DeploymentStatus** attribute. You'll be able to see the number of computers that have successfully upgraded, failed to upgrade, are stalled, etc. + + +Selecting this blade allows you to view device-level details about the deployment. For example, select **Failed** to view the original operating system version, the target operating system version, and the reason the update failed for each of the devices that failed to upgrade. In the case of the device illustrated in the following image, an attempt was made to upgrade from Windows 10, version 1703 to 1709, but the operation timed out. + +!["Update progress" blade showing detailed information after selecting the "failed" item](../images/UR-update-progress-failed-detail.png) + + +## Driver issues + +The **Driver issues** blade allows you to see Device Manager errors for your upgraded devices. We include data for all compatibility-related device errors, such as "driver not found" and "driver not started." The blade summarizes errors by error type, but you can select a particular error type to see device-level details about which device(s) are failing and where to obtain a driver. + + +For example, by selecting error code **28 - driver not installed**, you would see that the device in the following image is missing the driver for a network controller. Upgrade Readiness also notifies that a suitable driver is available online through Windows Update. If this device is configured to automatically receive updates from Windows Update, this issue would likely resolve itself following the device's next Windows Update scan. If this device does not automatically receive updates from Windows Update, you would need to deliver the driver manually. + +!["Driver issue" blade showing detailed information after selecting a specific driver error](../images/UR-driver-issue-detail.png) + +## User feedback + +The **User Feedback** blade focuses on gathering subjective feedback from your end users. If a user submits feedback through the Feedback Hub app on a device in your workspace, we will make that feedback visible to you in this blade. The Feedback Hub app is built into Windows 10 and can be accessed by typing "Feedback Hub" in the Cortana search bar. + + +We recommend that you encourage your end users to submit any feedback they have through Feedback Hub. Not only will this feedback be sent directly to Microsoft for review, but you'll also be able to see it by using Upgrade Readiness. You should be aware that **feedback submitted through Feedback Hub will be publicly visible**, so it's best to avoid submitting feedback about internal line-of-business applications. + +When viewing user feedback in Upgrade Readiness, you'll be able to see the raw "Title" and "Feedback" text from the user's submission in Feedback Hub, as well as the number of upvotes the submission has received. (Since feedback is publicly visible, the number of upvotes is a global value and not specific to your company.) If a Microsoft engineer has responded to the submission in Feedback Hub, we'll pull in the Microsoft response for you to see as well. + +![Example user feedback item](../images/UR-example-feedback.png) + \ No newline at end of file diff --git a/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md index 596c5c9540..d6cdab7ce2 100644 --- a/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md +++ b/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md @@ -66,7 +66,7 @@ Figure 2. The imported Windows 10 operating system after you rename it. - Task sequence ID: W10-X64-UPG - Task sequence name: Windows 10 Enterprise x64 RTM Upgrade - Template: Standard Client Upgrade Task Sequence - - Select OS: Windows 10 Enterprise x64 RTM RTM Default Image + - Select OS: Windows 10 Enterprise x64 RTM Default Image - Specify Product Key: Do not specify a product key at this time - Full Name: Contoso - Organization: Contoso @@ -103,4 +103,4 @@ After the task sequence completes, the computer will be fully upgraded to Window [Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md) [Microsoft Deployment Toolkit downloads and resources](https://go.microsoft.com/fwlink/p/?LinkId=618117) -  \ No newline at end of file +  diff --git a/windows/deployment/windows-10-deployment-scenarios.md b/windows/deployment/windows-10-deployment-scenarios.md index f744169d27..684ee94aa7 100644 --- a/windows/deployment/windows-10-deployment-scenarios.md +++ b/windows/deployment/windows-10-deployment-scenarios.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library -ms.date: 04/03/2018 +ms.date: 11/06/2018 author: greg-lindsay --- @@ -19,9 +19,9 @@ author: greg-lindsay To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the capabilities and limitations of each, is a key task. The following table summarizes various Windows 10 deployment scenarios. The scenarios are each assigned to one of three categories. -- Modern deployment methods are recommended unless you have a specific need to use a different procedure. +- Modern deployment methods are recommended unless you have a specific need to use a different procedure. These methods are supported with existing tools such as Microsoft Deployment Toolkit (MDT) and System Center Configuration Manager. These methods are discussed in detail on the [Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home). - Dynamic deployment methods enable you to configure applications and settings for specific use cases. -- Traditional deployment methods use tools such as Microsoft Deployment Toolkit (MDT) and System Center Configuration Manager.
      +- Traditional deployment methods use existing tools to deploy operating system images.
     
    [Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home) Check out the new Modern Deskop Deployment Center and discover content to help you with your Windows 10 and Office 365 ProPlus deployments.
    [What's new in Windows 10 deployment](deploy-whats-new.md) See this topic for a summary of new features and some recent changes related to deploying Windows 10 in your organization.
    [Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the key capabilities and limitations of each, is a key task.
    [Windows 10 Subscription Activation](windows-10-enterprise-subscription-activation.md) Windows 10 Enterprise has traditionally been sold as on premises software, however, with Windows 10 version 1703 (also known as the Creator’s Update), both Windows 10 Enterprise E3 and Windows 10 Enterprise E5 are available as true online services via subscription. You can move from Windows 10 Pro to Windows 10 Enterprise with no keys and no reboots. If you are using a Cloud Service Providers (CSP) see the related topic: [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md). N/A
    1 - Unexpected error occurred while executiEng the script.1 - Unexpected error occurred while executing the script. The files in the deployment script are likely corrupted. Download the [latest script](https://go.microsoft.com/fwlink/?LinkID=822966) from the download center and try again.
    45 - Diagrack.dll was not found. Update the PC using Windows Update/Windows Server Update Services.
    46 - **DisableEnterpriseAuthProxy** property should be set to **1** for **ClientProxy=Telemetry** to work.Set the **DisableEnterpriseAuthProxy** registry property to **1** at key path **HKLM:\SOFTWARE\Policies\Microsoft -\Windows\DataCollection**.
    47 - **TelemetryProxyServer** is not present in key path **HKLM:\SOFTWARE\Policies\Microsoft -\Windows\DataCollection**.**ClientProxy** selected is **Telemetry**, but you need to add **TelemetryProxyServer** in key path **HKLM:\SOFTWARE\Policies\Microsoft -\Windows\DataCollection**.
    48 - **CommercialID** mentioned in RunConfig.bat should be a GUID. **CommercialID** is mentioned in RunConfig.bat, but it is not a GUID. Copy the commercialID from your workspace. To find the commercialID, in the OMS portal click **Upgrade Readiness > Settings**.
    diff --git a/windows/deployment/windows-autopilot/TOC.md b/windows/deployment/windows-autopilot/TOC.md index fb04b62d4d..e16013f4db 100644 --- a/windows/deployment/windows-autopilot/TOC.md +++ b/windows/deployment/windows-autopilot/TOC.md @@ -3,9 +3,12 @@ ### [Configuration requirements](windows-autopilot-requirements-configuration.md) ### [Network requirements](windows-autopilot-requirements-network.md) ### [Licensing requirements](windows-autopilot-requirements-licensing.md) +### [Intune Connector (preview)](intune-connector.md) ## [Scenarios and Capabilities](windows-autopilot-scenarios.md) ### [Support for existing devices](existing-devices.md) ### [User-driven mode](user-driven.md) +#### [Azure Active Directory joined](user-driven-aad.md) +#### [Hybrid Azure Active Directory joined](user-driven-hybrid.md) ### [Self-deploying mode](self-deploying.md) ### [Enrollment status page](enrollment-status.md) ### [Windows Autopilot Reset](windows-autopilot-reset.md) @@ -21,3 +24,5 @@ ## Getting started ### [Demonstrate Autopilot deployment on a VM](demonstrate-deployment-on-vm.md) ## [Troubleshooting](troubleshooting.md) +## [FAQ](autopilot-faq.md) +## [Support](autopilot-support.md) \ No newline at end of file diff --git a/windows/deployment/windows-autopilot/autopilot-faq.md b/windows/deployment/windows-autopilot/autopilot-faq.md new file mode 100644 index 0000000000..0eefe9fc9f --- /dev/null +++ b/windows/deployment/windows-autopilot/autopilot-faq.md @@ -0,0 +1,158 @@ +--- +title: Windows Autopilot support +description: Support information for Windows Autopilot +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: low +ms.sitesec: library +ms.pagetype: deploy +author: greg-lindsay +ms.author: greg-lindsay +ms.date: 11/05/2018 +--- + +# Windows Autopilot FAQ + +**Applies to: Windows 10** + +This topic provides OEMs, partners, administrators, and end-users with answers to some frequently asked questions about deploying Windows 10 with Windows Autopilot. + +A [glossary](#glossary) of abbreviations used in this topic is provided at the end. + + +## Microsoft Partner Center + +| Question | Answer | +| --- | --- | +| In the Partner Center, does the Tenant ID need to be provided with every device file upload (to then allow the business customer to access their devices in MSfB)? | No. Providing the Tenant ID is a one-time entry in the Partner Center that can be re-used with future device uploads. | +| How does the customer or tenant know that their devices are ready to be claimed in MSfB? | After the device file upload is completed in the Partner Center, the tenant can see the devices available for Windows Autopilot setup in MSfB. The OEM would need to advise the tenant to access MSfB. Auto-notification from MSfB to the tenant is being developed. | +| Are there any restrictions if a business customer has registered devices in MSfB and later wants those devices to be managed by a CSP via the Partner Center? | The devices will need to be deleted in MSfB by the business customer before the CSP can upload and manage them in the Partner Center. | +| Does Windows Autopilot support removing the option to enable a local administrator account? | Windows Autopilot doesn’t support removing the local admin account. However, it does support restricting the user performing AAD domain join in OOBE to a standard account (versus admin account by default).| +| How can I test the Windows Autopilot CSV file in the Partner Center? | Only CSP Partners have access to the Partner Center portal. If you are a CSP, you can create a Sales agent user account which has access to “Devices” for testing the file. This can be done today in the Partner Center.

    Go [here](https://msdn.microsoft.com/partner-center/createuseraccounts-and-set-permissions) for more information. | +| Must I become a Cloud Solution Provider (CSP) to participate in Windows Autopilot? | Top volume OEMs do not, as they can use the OEM Direct API. All others who choose to use MPC to register devices must become CSPs in order to access MPC. | +| Do the different CSP levels have all the same capabilities when it comes to Windows Autopilot? | For purposes of Windows Autopilot, there are three different types of CSPs, each with different levels of authority an access:

    1. Direct CSP: Gets direct authorization from the customer to register devices.

    2. Indirect CSP Provider: Gets implicit permission to register devices through the relationship their CSP Reseller partner has with the customer. Indirect CSP Providers register devices through Microsoft Partner Center.

    3. Indirect CSP Reseller: Gets direct authorization from the customer to register devices. At the same time, their indirect CSP Provider partner also gets authorization, which mean that either the Indirect Provider or the Indirect Reseller can register devices for the customer. However, the Indirect CSP Reseller must register devices through the MPC UI (manually uploading CSV file), whereas the Indirect CSP Provider has the option to register devices using the MPC APIs. | + +## Manufacturing + +| Question | Answer | +| --- | --- | +| What changes need to be made in the factory OS image for customer configuration settings? |No changes are required on the factory floor to enable Windows Autopilot deployment. | +| What version of the OA3 tool meets Windows Autopilot deployment requirements? | Windows Autopilot can work with any version of the OA3 tool. We recommend using Windows 10, version 1703 and above to generate the 4K Hardware Hash. | +| At the time of placing an order, do customers need to be state whether they want it with or without Windows Autopilot options? | Yes, if they want Windows Autopilot, they will want Windows 10, version 1703 or later versions. Also, they will want to receive the CSV file or have the file upload (i.e., registration) completed on their behalf. | +| Does the OEM need to manage or collect any custom imaging files from customers and perform any image uploads to Microsoft? | No change, OEMs just send the CBRs as usual to Microsoft. No images are sent to Microsoft to enable Windows Autopilot. Windows Autopilot only customizes OOBE and allows policy configurations (disables admin account, for example). | +| Are there any customer impacts to upgrading from Windows 8 to Windows 10? | The devices must have Windows 10, version 1703 or later to enroll in Windows Autopilot deployment, otherwise no impacts. | +| Will there be any change to the existing CBR with 4k Hardware Hash? | No. | +| What new information needs to be sent from the OEM to Microsoft? | Nothing, unless the OEM opts to register the device on the customer’s behalf, in which case they would upload the device ID via a CSV file into Microsoft Partner Center, or use the OEM Direct API. | +| Is there a contract or amendment for an OEM to participate in Windows Autopilot Deployment? | No. | + +## CSV schema + +| Question | Answer | +| --- | --- | +| Can a comma be used in the CSV file? | No. | +| What error messages can a user expect to see in the Partner Center or MSfB when uploading a file? | See the “In Microsoft Store for Business” section of this guide. | +| Is there a limit to the number of devices that can be listed in the CSV file? | Yes, the CSV file can only contain 1,000 devices to apply to a single profile. If more than 1,000 devices need to be applied to a profile, the devices need to be uploaded through multiple CSV files. | +| Does Microsoft have any recommendations on how an OEM should provide the CSV file to their customers? | Microsoft recommends encrypting the CSV file when sending to the business customer to self-register their Windows Autopilot devices (either through MPC, MSfB, or Intune). | + + +## Hardware hash + +| Question | Answer | +| --- | --- | +| Must every Hardware Hash submitted by the OEM contain the SMBIOS UUID (universally unique identifier), MAC (media access control) address and unique disk serial number (if using Windows 10, version 1703 and above OEM Activation 3.0 tool)? | Yes. Since Windows Autopilot is based on the ability to uniquely identify devices applying for cloud configuration, it is critical to submit Hardware Hashes which meet the outlined requirement. | +| What is the reason for needing the SMBIOS UUID, MAC Address and Disk Serial Number in the Hardware Hash details? | For creating the Hardware Hash, these are the fields that are needed to identify a device, as parts of the device are added/removed. Since we don’t have a unique identifier for Windows devices, this is the best logic to identify a device. | +| What is difference between OA3 Hardware Hash, 4K Hardware Hash, and Windows Autopilot Hardware Hash? | None. They’re different names for the same thing. The Windows 10, 1703 version of the OA3 tool output is called the OA3 Hash, which is 4K in size, which is usable for the Windows Autopilot deployment scenario. Note: When using a non-1703 version OA3Tool, you get a different sized Hash, which may not be used for Windows Autopilot deployment. | +| What is the thought around parts replacement and/or repair for the NIC (network interface controller) and/or Disk? Will the Hardware Hash become invalid? | Yes. If you replace parts, you need to gather the new Hardware Hash, though it depends on what is replaced, and the characteristics of the parts. For example, if you replace the TPM or motherboard, it’s a new device – you MUST have new Hardware Hash. If you replace one network card, it’s probably not a new device, and the device will function with the old Hardware Hash. However, as a best practice, you should assume the old Hardware Hash is invalid and get a new Hardware Hash after any hardware changes – this is Microsoft’s strong recommendation any time you replace parts. | + +## Motherboard replacement + +| Question | Answer | +| --- | --- | +| How does Autopilot handle motherboard replacement scenarios?” | Motherboard replacement is out for scope for Autopilot. Any device that is repaired or serviced in a way that alters the ability to identify the device for Windows Autopilot must go through the normal OOBE process, and manually select the right settings or apply a custom image - as is the case today.

    To reuse the same device for Windows Autopilot after a motherboard replacement, the device would need to be de-registered from Autopilot, the motherboard replaced, a new 4K HH harvested, and then re-registered using the new 4K HH (or device ID).

    **Note**: An OEM will not be able to use the OEM Direct API to re-register the device, since the OEM Direct API only accepts a tuple or PKID. In this case, the OEM would either have to send the new 4K HH info via a CSV file to customer, and let customer reregister the device via MSfB or Intune.| + +## SMBIOS + +| Question | Answer | +| --- | --- | +| Any specific requirement to SMBIOS UUID? | It must be unique as specified in the Windows 10 hardware requirements. | +| What is the requirement on the SMBIOS table to meet the Windows Autopilot Hardware Hash need? | It must meet all the Windows 10 hardware requirements. Additional details may be found [here](https://msdn.microsoft.com/library/jj128256(v=vs.85).aspx). | +| If the SMBIOS supports UUID and Serial Number, is it enough for the OA3 tool to generate the Hardware Hash? | No. At a minimum, the following SMBIOS fields need to be populated with unique values: ProductKeyID SmbiosSystemManufacturer SmbiosSystemProductName SmbiosSystemSerialNumber SmbiosSkuNumber SmbiosSystemFamily MacAddress SmbiosUuid DiskSerialNumber TPM EkPub | + +## Technical interface + +| Question | Answer | +| --- | --- | +| What is the interface to get the MAC Address and Disk Serial Number? How does the OA tool get MAC and Disk Serial #? | Disk serial number is found from IOCTL_STORAGE_QUERY_PROPERTY with StorageDeviceProperty/PropertyStandardQuery. Network MAC address is IOCTL_NDIS_QUERY_GLOBAL_STATS from OID_802_3_PERMANENT_ADDRESS. However the exact mechanisms/”interface” for doing this operation varies depending on the exact scenario being discussed. | +| Follow up clarification: If we have 2-3 MACs on the system, how does OA Tool choose which MAC Address and Disk Serial Number on the system since there are multiple instances of each? If a platform has LAN And WLAN, which MAC is chosen? | In short, all available values are used. In detail, there may be extra specific usage rules. The System disk serial number is more important than any other disks available. Network interfaces that are removable should not be used if detected as they are removable. LAN vs WLAN should not matter, both will be used. | + +## The end user experience + +| Question | Answer | +| --- | --- | +| How do I know that I received Autopilot? | You can tell that you received Windows Autopilot (as in the device received a configuration but has not yet applied it) when you skip the selection page (as seen below), and are immediately taken to a generic or customized sign-in page. | +| Windows Autopilot didn’t work, what do I do now? | Questions and actions to assist in troubleshooting: Did a screen not get skipped? Did a user end up as an admin when configured not to? Remember that AAD Admins will be local admins regardless of whether Windows Autopilot is configured to disable local admin Collection information – run licensingdiag.exe and send the .cab (Cabinet file) file that is generated to AutopilotHelp@microsoft.com. If possible, collect an ETL from WPR. Often in these cases, users are not signing into the right AAD tenant, or are creating local user accounts. For a complete list of support options, refer to [Windows Autopilot support](autopilot-support.md). | +| If an Administrator makes changes to an existing profile, will the changes take effect on devices that have that profile assigned to them that have already been deployed? | No. Windows Autopilot profiles are not resident on the device. They are downloaded during OOBE, the settings defined at the time are applied. Then, the profile is discarded on the device. If the device is re-imaged or reset, the new profile settings will take effect the next time the device goes through OOBE. | +| What is the experience if a device isn’t registered or if an IT Admin doesn’t configure Windows Autopilot prior to an end user attempting to self-deploy? | If the device isn’t registered, it will not receive the Windows Autopilot experience and the end user will go through normal OOBE. The Windows Autopilot configurations will NOT be applied until the user runs through OOBE again, after registration. If a device is started before an MDM profile is created, the device will go through standard OOBE experience. The IT Admin would then have to manually enrol that device into the MDM, after which—the next time that device is “reset”—it will go through the Windows Autopilot OOBE experience. | +| What may be a reason why I did not receive a customized sign-in screen during Autopilot? | Tenant branding must be configured in portal.azure.com to receive a customized sign-in experience. | +| What happens if a device is registered with Azure AD but does not have an Windows Autopilot profile assigned? | The regular AAD OOBE will occur since no Windows Autopilot profile was assigned to the device. | +| How can I collect logs on Autopilot? | The best way to collect logs on Windows Autopilot performance is to collect a Windows Performance Recorder (WPR) trace during OOBE. The XML file (WPRP extension) for this trace may be provided upon request. | + + +## MDM + +| Question | Answer | +| --- | --- | +| Must we use Intune for our MDM? | No. No, any MDM will work with Autopilot, but others probably won’t have the same full suite of Windows Autopilot features as Intune. You’ll get the best experience from Intune. | +| Can Intune support Win32 app preinstalls? | Yes. Starting with the Windows 10 October Update (version 1809), Intune supports Win32 apps using .msi (and .msix) wrappers. | +| What is co-management? | Co-management is when you use a combination of a cloud MDM tool (Intune) and an on-premise configuration tool like System Center Configuration Manager (SCCM). You only need to use SCCM if Intune can’t support what you want to do with your profile. If you choose to co-manage using Intune + SCCM, you do it by including an SCCM agent in your Intune profile. When that profile is pushed to the device, the device will see the SCCM agent and go out to SCCM to pull down any additional profile settings. | +| Must we use System Center Configuration Manager (SCCM) for Windows Autopilot | No. Co-management (described above) is optional. | + + +## Features + +| Question | Answer | +| --- | --- | +| Self-deploying mode | A new version of Windows Autopilot where the user only turns on the device, and nothing else. It’s useful for scenarios where a standard user account isn’t needed (e.g., shared devices, or KIOSK devices). | +| Hybrid Azure Active Directory join | Allows Windows Autopilot devices to connect to an on-premise Active Directory domain controller (in addition to being Azure AD joined). | +| Windows Autopilot reset | Removes user apps and settings from a device, but maintains AAD domain join and MDM enrollment. Useful for when transferring a device from one user to another. | +| Personalization | Adds the following to the OOBE experience: A personalized welcome message can be created A username hint can be added Sign-in page text can be personalized The company’s logo can be included | +| [Autopilot for existing devices](existing-devices.md) | Offers an upgrade path to Windows Autopilot for all existing Win 7/8 devices. | + + + +## General + +| Question | Answer | +| --- | --- | +| If I wipe the machine and restart, will I still receive Windows Autopilot? | Yes, if the device is still registered for Windows Autopilot and is running Windows 10, version 1703 7B and above releases, it will receive the Windows Autopilot experience. | +| Can I harvest the device fingerprint on existing machines? | Yes, if the device is running Windows 10, version 1703 and above, you can harvest device fingerprints for registration. There are no plans to backport the functionality to previous releases and no way to harvest them on pre-Windows 10 Windows 10, version 1703 devices that have not been updated to Windows 10, version 1703. | +| What is Windows 10, version 1703 7B and why does it matter? | Windows 10, version 1703 7B is a Windows 10, version 1703 image bundled with cumulative updates. To receive Autopilot, clients **must** run Windows 10, version 1703 7B or later. These cumulative updates contain a critical fix for Autopilot. Consider the following:

    Windows Autopilot will not apply its profiles to the machine unless AAD credentials match the expected AAD tenant. For the Windows 10, version 1703 release, it was assumed that would be determined by the domain name, so the domain name used to register (for example contoso.com) should match the domain name used to sign in (for example user@contoso.com). But what happens if your tenant has multiple domains (for example us.contoso.com, or fr.contoso.com)? Since these domain names do not match, the device will not be configured for Autopilot. However, both domains are part of the same AAD tenant, and as such it was determined the matching scheme was not useful. This was improved upon by making use of the tenant ID. By using the tenant ID, we can determine that if the user signs into a domain with a tenant matching the one they registered with, we can safely consider this to be a match. The fix for this problem already exists in Windows 10, version 1709 and was backported into the Windows 10, version 1703 7B release.

    **Key Take-Aways**: When using pre-Windows 10, version 1703 7B clients the user’s domain **must** match the domain they registered with. This functionality is found in Windows 10 version 1709 clients using build >= 16215, and Windows 10, version 1703 clients >= 7B. | +| What is the impact of not updating to 7B? | See the detailed scenario described directly above. | +| Is Windows Autopilot supported on other SKUs, e.g. Surface Hub, HoloLens, Windows Mobile. | No, Windows Autopilot isn’t supported on other SKUs. | +| Does Windows Autopilot work after MBR or image re-installation? | Yes. | +| Can machines that have reimaged a few times go through Autopilot? What does the error message "This user is not authorized to enroll" mean? Error code 801c0003. | There are limits to the number of devices a particular AAD user can enroll in AAD, as well as the number of devices that are supported per user in Intune. (These are somewhat configurable but not “infinite.”) You’ll run into this frequently if you reuse the devices, or even if you roll back to previous virtual machine snapshots. | +| What happens if a device is registered to a malicious agent? | By design, Windows Autopilot does not apply a profile until the user signs in with the matching tenant for the configured profile via the AAD sign-in process. What occurs is illustrated below. If badguys.com registers a device owned by contoso.com, at worst, the user would be directed to sign into badguys.com. When the user enters their email/password, the sign-in information is redirected through AAD to the proper AAD authentication and the user is prompted to then sign into contoso.com. Since contoso.com does not match badguys.com as the tenant, the Windows Autopilot profile will not be applied and the regular AAD OOBE will occur. | +| Where is the Windows Autopilot data stored? | Windows Autopilot data is stored in the United States (US), not in a sovereign cloud, even when the AAD tenant is registered in a sovereign cloud. This is applicable to all Windows Autopilot data, regardless of the portal leveraged to deploy Autopilot. | +| Why is Windows Autopilot data stored in the US and not in a sovereign cloud? | It is not customer data that we store, but business data which enables Microsoft to provide a service, therefore it is okay for the data to reside in the US. Customers can stop subscribing to the service any time, and, in that event, the business data is removed by Microsoft. | +| How many ways are there to register a device for Windows Autopilot | There are six ways to register a device, depending on who is doing the registering:

    1. OEM Direct API (only available to TVOs)
    2. MPC via the MPC API (must be a CSP)
    3. MPC via manual upload of CSV file in the UI (must be a CSP)
    4. MSfB via CSV file upload
    5. Intune via CSV file upload
    6. Microsoft 365 Business portal via CSV file upload | +| How many ways are there to create an Windows Autopilot profile? | There are four ways to create & assign an Windows Autopilot profile:

    1. Through MPC (must be a CSP)
    2. Through MSfB
    3. Through Intune (or another MDM)
    4. Microsoft 365 Business portal

    Microsoft recommends creation and assignment of profiles through Intune.| +| What are some common causes of registration failures? |
    1. Bad or missing Hardware hash entries can lead to faulty registration attempts
    2. Hidden special characters in CSV files.

    To avoid this issue, after creating your CSV file, open it in Notepad to look for hidden characters or trailing spaces or other corruptions.| + +## Glossary + +| Term | Meaning | +| --- | --- | +| CSV | Comma Separated Values (File type similar to Excel spreadsheet) | +| MPC | Microsoft Partner Center | +| MDM | Mobile Device Management | +| OEM | Original Equipment Manufacturer | +| CSP | Cloud Solution Provider | +| MSfB | Microsoft Store for Business | +| AAD | Azure Active Directory | +| 4K HH | 4K Hardware Hash | +| CBR | Computer Build Report | +| EC | Enterprise Commerce | +| DDS | Device Directory Service | +| OOBE | Out of the Box Experience | +| UUID | Universally Unique Identifier | diff --git a/windows/deployment/windows-autopilot/autopilot-support.md b/windows/deployment/windows-autopilot/autopilot-support.md new file mode 100644 index 0000000000..65932a5cf6 --- /dev/null +++ b/windows/deployment/windows-autopilot/autopilot-support.md @@ -0,0 +1,43 @@ +--- +title: Windows Autopilot support +description: Support information for Windows Autopilot +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: low +ms.sitesec: library +ms.pagetype: deploy +author: greg-lindsay +ms.author: greg-lindsay +ms.date: 10/31/2018 +--- + +# Windows Autopilot support information + +**Applies to: Windows 10** + +The following table displays support information for the Windows Autopilot program. + +Before contacting the resources listed below for Windows Autopilot-related issues, check the [Windows Autopilot FAQ](autopilot-faq.md). + +| Audience | Support contact | +| --- | --- | +OEM or Channel Partner registering devices as a CSP (via MPC) | Use the help resources available in MPC. Whether you are a named partner or a channel partner (distributor, reseller, SI, etc.), if you’re a CSP registering Autopilot devices through MPC (either manually or through the MPC API), your first-line of support should be the help resources within MPC. | +| OEM registering devices using OEM Direct API | Contact MSOEMOPS@microsoft.com. Response time depends on priority:
    Low – 120 hours
    Normal – 72 hours
    High – 24 hours
    Immediate – 4 hours | +| OEM with a PFE | Reach out to your PFE for support. | +| Partners with a Partner Technology Strategist (PTS) | If you have a PTS (whether you’re a CSP or not), you may first try working through your account’s specific Partner Technology Strategist (PTS). | +| Partners with an Ecosystem PM | If you have an Ecosystem PM (whether you’re a CSP or not), you may first try working through your account’s specific Ecosystem PM, especially for technical issues. | +| Enterprise customers | Contact your Technical Account Manager (TAM), or Account Technology Strategist (ATS), or Customer Service Support (CSS) representative. | +| End-user | Contact your IT administrator. | +| Microsoft Partner Center (MPC) users | Use the [help resources](https://partner.microsoft.com/support) available in MPC. | +| Microsoft Store for Business (MSfB) users | Use the help resources available in MSfB. | +| Intune users | From the Microsoft Azure portal, click [Help + support](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/overview). | +| Microsoft 365 Business | Support is accessible directly through the Microsoft 365 Business portal when logged in: https://support.microsoft.com/en-us. | +| Queries relating to MDA testing | Contact MDAHelp@microsoft.com. | +| All other queries, or when unsure who to contact | Contact msoemops@microsoft.com. | + + + + + + diff --git a/windows/deployment/windows-autopilot/enrollment-status.md b/windows/deployment/windows-autopilot/enrollment-status.md index f160513fc1..b3432a245a 100644 --- a/windows/deployment/windows-autopilot/enrollment-status.md +++ b/windows/deployment/windows-autopilot/enrollment-status.md @@ -10,28 +10,36 @@ ms.pagetype: deploy ms.localizationpriority: medium author: greg-lindsay ms.author: greg-lindsay -ms.date: 10/02/2018 +ms.date: 11/01/2018 --- # Windows Autopilot Enrollment Status page The Windows Autopilot Enrollment Status page displaying the status of the complete device configuration process. Incorporating feedback from customers, this provides information to the user to show that the device is being set up and can be configured to prevent access to the desktop until the configuration is complete. - ![Enrollment Status Page](images/enrollment-status-page.png) + ![Enrollment status page](images/enrollment-status-page.png) ## Available settings - The following settings can be configured: + The following settings can be configured to customize behavior of the enrollment status page: - - Show app and profile installation progress. When enabled, the Enrollment Status page is displayed. - - Block device use until all apps and profiles are installed. When enabled, the Enrollment Status page will be displayed until the device configuraton process is complete. When not enabled, the user can dismiss the page at any time. - - Allow users to reset device if installation errors occur. - - Allow users to use device if installation errors occur. - - Show error when installation takes longer than the specified number of minutes. - - Show custom error message when an error occurs. - - Allow users to collect logs about installation errors. +
    Category
    +
    SettingYesNo +
    Show app and profile installation progressThe enrollment status page is displayed.The enrollment status page is not displayed. +
    Block device use until all apps and profiles are installedThe settings in this table are made available to customize behavior of the enrollment status page, so that the user can address potential installation issues. +The enrollment status page is displayed with no additional options to address installation failures. +
    Allow users to reset device if installation error occursA Reset device button is displayed if there is an installation failure.The Reset device button is not displayed if there is an installation failure. +
    Allow users to use device if installation error occursA Continue anyway button is displayed if there is an installation failure.The Continue anyway button is not displayed if there is an installation failure. +
    Show error when installation takes longer than specified number of minutesSpecify the number of minutes to wait for installation to complete. A default value of 60 minutes is entered. +
    Show custom message when an error occursA text box is provided where you can specify a custom message to display in case of an installation error.The default message is displayed:
    Oh no! Something didn't do what it was supposed to. Please contact your IT department. +
    Allow users to collect logs about installation errorsIf there is an installation error, a Collect logs button is displayed.
    If the user clicks this button they are asked to choose a location to save the log file MDMDiagReport.cab    		The Collect logs button is not displayed if there is an installation error. +
    -## Installation progress tracked +See the following example: + + ![Enrollment status page settings](images/esp-settings.png) + +## Installation progress tracking The Enrollment Status page tracks a subset of the available MDM CSP policies that are delivered to the device as part of the complete device configuration process. The specific types of policies that are tracked include: diff --git a/windows/deployment/windows-autopilot/existing-devices.md b/windows/deployment/windows-autopilot/existing-devices.md index 49e0b6a3ef..72bca7e019 100644 --- a/windows/deployment/windows-autopilot/existing-devices.md +++ b/windows/deployment/windows-autopilot/existing-devices.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: deploy author: greg-lindsay ms.author: greg-lindsay -ms.date: 10/22/2018 +ms.date: 11/05/2018 --- # Windows Autopilot for existing devices @@ -295,6 +295,10 @@ The Task Sequence will download content, reboot, format the drives and install W ### Register the device for Windows Autopilot -Devices provisioned through Autopilot will only receive the guided OOBE Autopilot experience on first boot. There is currently no automatic registration into Windows Autopilot. Therefore, once updated to Windows 10, the device should be registered to ensure a continued Autopilot experience in the event of PC reset. +Devices provisioned through Autopilot will only receive the guided OOBE Autopilot experience on first boot. Once updated to Windows 10, the device should be registered to ensure a continued Autopilot experience in the event of PC reset. You can enable automatic registration for an assigned group using the **Convert all targeted devices to Autopilot** setting. For more information, see [Create an Autopilot deployment profile](https://docs.microsoft.com/en-us/intune/enrollment-autopilot#create-an-autopilot-deployment-profile). -For more information, see [Adding devices to Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/add-devices). +Also see [Adding devices to Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/add-devices). + +## Speeding up the deployment process + +To remove around 20 minutes from the deployment process, see Michael Niehaus's blog with instructions for [Speeding up Windows Autopilot for existing devices](https://blogs.technet.microsoft.com/mniehaus/2018/10/25/speeding-up-windows-autopilot-for-existing-devices/). diff --git a/windows/deployment/windows-autopilot/images/connector-fail.png b/windows/deployment/windows-autopilot/images/connector-fail.png new file mode 100644 index 0000000000..2d8abb5785 Binary files /dev/null and b/windows/deployment/windows-autopilot/images/connector-fail.png differ diff --git a/windows/deployment/windows-autopilot/images/esp-settings.png b/windows/deployment/windows-autopilot/images/esp-settings.png new file mode 100644 index 0000000000..0153ba58f9 Binary files /dev/null and b/windows/deployment/windows-autopilot/images/esp-settings.png differ diff --git a/windows/deployment/windows-autopilot/intune-connector.md b/windows/deployment/windows-autopilot/intune-connector.md new file mode 100644 index 0000000000..cc2d85e737 --- /dev/null +++ b/windows/deployment/windows-autopilot/intune-connector.md @@ -0,0 +1,66 @@ +--- +title: Intune Connector (preview) requirements +description: Intune Connector (preview) issue workaround +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: low +ms.sitesec: library +ms.pagetype: deploy +author: greg-lindsay +ms.author: greg-lindsay +ms.date: 11/13/2018 +--- + + +# Intune Connector (preview) language requirements + +**Applies to: Windows 10** + +Microsoft has released a [preview for Intune connector for Active Directory](https://docs.microsoft.com/intune/windows-autopilot-hybrid) that enables user-driven [Hybrid Azure Active Directory join](user-driven-hybrid.md) for Windows Autopilot. + +In this preview version of the Intune Connector, you might receive an error message indicating a setup failure with the following error code and message: + +**0x80070658 - Error applying transforms. Verify that the specified transform paths are valid.** + +See the following example: + +![Connector error](images/connector-fail.png) + +This error can be resolved by ensuring that the member server where Intune Connector is running has one of the following language packs installed and configured to be the default keyboard layout: + +en-US
    +cs-CZ
    +da-DK
    +de-DE
    +el-GR
    +es-ES
    +fi-FI
    +fr-FR
    +hu-HU
    +it-IT
    +ja-JP
    +ko-KR
    +nb-NO
    +nl-NL
    +pl-PL
    +pt-BR
    +ro-RO
    +ru-RU
    +sv-SE
    +tr-TR
    +zh-CN
    +zh-TW + +This solution is a workaround and will be fully resolved in a future release of the Intune Connector. + +To change the default keyboard layout: + +1. Click **Settings > Time & language > Region and language** +2. Select one of the languages listed above and choose **Set as default**. + +Note: If the language you need isn't listed, you can add additional languages by selecting **Add a language**. + + + + diff --git a/windows/deployment/windows-autopilot/user-driven-aad.md b/windows/deployment/windows-autopilot/user-driven-aad.md index 6da9e99b33..b63517060d 100644 --- a/windows/deployment/windows-autopilot/user-driven-aad.md +++ b/windows/deployment/windows-autopilot/user-driven-aad.md @@ -1,19 +1,35 @@ ---- -title: User-driven mode for AAD -description: Listing of Autopilot scenarios -keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: low -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.author: greg-lindsay -ms.date: 10/02/2018 ---- - -# Windows Autopilot user-driven mode for Azure Active Directory - -**Applies to: Windows 10** - -PLACEHOLDER. This topic is a placeholder for the AAD-specific instuctions currently in user-driven.md. +--- +title: User-driven mode for AAD +description: Listing of Autopilot scenarios +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: low +ms.sitesec: library +ms.pagetype: deploy +author: greg-lindsay +ms.author: greg-lindsay +ms.date: 11/07/2018 +--- + +# Windows Autopilot user-driven mode for Azure Active Directory join + +**Applies to: Windows 10** + +## Procedures + +In order to perform a user-driven deployment using Windows Autopilot, the following preparation steps need to be completed: + +- Ensure that the users who will be performing user-driven mode deployments are able to join devices to Azure Active Directory. See [Configure device settings](https://docs.microsoft.com/azure/active-directory/device-management-azure-portal#configure-device-settings) in the Azure Active Directory documentation for more information. +- Create an Autopilot profile for user-driven mode with the desired settings. In Microsoft Intune, this mode is explicitly chosen when creating the profile. With Microsoft Store for Business and Partner Center, user-driven mode is the default and does not need to be selected. +- If using Intune, create a device group in Azure Active Directory and assign the Autopilot profile to that group. + +For each device that will be deployed using user-driven deployment, these additional steps are needed: + +- Ensure that the device has been added to Windows Autopilot. This can be done automatically by an OEM or partner at the time the device is purchased, or it can be done through a manual harvesting process later. See [Adding devices to Windows Autopilot](add-devices.md) for more information. +- Ensure an Autopilot profile has been assigned to the device: + - If using Intune and Azure Active Directory dynamic device groups, this can be done automatically. + - If using Intune and Azure Active Directory static device groups, manually add the device to the device group. + - If using other methods (e.g. Microsoft Store for Business or Partner Center), manually assign an Autopilot profile to the device. + +Also see the **Validation** section in the [Windows Autopilot user-driven mode](user-driven.md) topic. diff --git a/windows/deployment/windows-autopilot/user-driven-hybrid.md b/windows/deployment/windows-autopilot/user-driven-hybrid.md index 6f4a760dcc..a5fa678ff4 100644 --- a/windows/deployment/windows-autopilot/user-driven-hybrid.md +++ b/windows/deployment/windows-autopilot/user-driven-hybrid.md @@ -9,12 +9,32 @@ ms.sitesec: library ms.pagetype: deploy author: greg-lindsay ms.author: greg-lindsay -ms.date: 10/02/2018 +ms.date: 11/12/2018 --- -# Windows Autopilot user-driven mode for Hybrid Azure Active Directory Join +# Windows Autopilot user-driven mode for hybrid Azure Active Directory join **Applies to: Windows 10** -PLACEHOLDER. This topic is a placeholder for the AD-specific (hybrid) instuctions. +Windows Autopilot requires that devices be Azure Active Directory joined. If you have an on-premises Active Directory environment and want to also join devices to your on-premises domain, you can accomplish this by configuring Autopilot devices to be [hybrid Azure Active Directory (AAD) joined](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-plan). + +## Requirements + +To perform a user-driven hybrid AAD joined deployment using Windows Autopilot: + +- A Windows Autopilot profile for user-driven mode must be created and + - **Hybrid Azure AD joined** must be specified as the selected option under **Join to Azure AD as** in the Autopilot profile. +- If using Intune, a device group in Azure Active Directory must exist with the Windows Autopilot profile assigned to that group. +- The device must be running Windows 10, version 1809 or later. +- The device must be connected to the Internet and have access to an Active Directory domain controller. +- The Intune Connector for Active Directory must be installed. + - Note: The Intune Connector will perform an on-prem AD join, therefore users do not need on-prem AD-join permission, assuming the Connector is [configured to perform this action](https://docs.microsoft.com/intune/windows-autopilot-hybrid#increase-the-computer-account-limit-in-the-organizational-unit) on the user's behalf. + +**AAD device join**: The hybrid AAD join process uses the system context to perform device AAD join, therefore it is not affected by user based AAD join permission settings. In addition, all users are enabled to join devices to AAD by default. + +## Step by step instructions + +See [Deploy hybrid Azure AD joined devices using Intune and Windows Autopilot](https://docs.microsoft.com/intune/windows-autopilot-hybrid). + +Also see the **Validation** section in the [Windows Autopilot user-driven mode](user-driven.md) topic. \ No newline at end of file diff --git a/windows/deployment/windows-autopilot/user-driven.md b/windows/deployment/windows-autopilot/user-driven.md index 1aa1ad5321..4fd86ef3b5 100644 --- a/windows/deployment/windows-autopilot/user-driven.md +++ b/windows/deployment/windows-autopilot/user-driven.md @@ -8,11 +8,13 @@ ms.localizationpriority: medium ms.sitesec: library ms.pagetype: deploy author: greg-lindsay -ms.date: 10/02/2018 +ms.date: 11/07/2018 ms.author: greg-lindsay -ms.date: 10/02/2018 +ms.date: 11/07/2018 --- +# Windows Autopilot user-driven mode + Windows Autopilot user-driven mode is designed to enable new Windows 10 devices to be transformed from their initial state, directly from the factory, into a ready-to-use state without requiring that IT personnel ever touch the device. The process is designed to be simple so that anyone can complete it, enabling devices to be shipped or distributed to the end user directly with simple instructions: - Unbox the device, plug it in, and turn it on. @@ -24,21 +26,12 @@ After completing those simple steps, the remainder of the process is completely Today, Windows Autopilot user-driven mode supports joining devices to Azure Active Directory. Support for Hybrid Azure Active Directory Join (with devices joined to an on-premises Active Directory domain) will be available in a future Windows 10 release. See [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction) for more information about the differences between these two join options. -## Step by step +## Available user-driven modes -In order to perform a user-driven deployment using Windows Autopilot, the following preparation steps need to be completed: +The following options are available for user-driven deployment: -- Ensure that the users who will be performing user-driven mode deployments are able to join devices to Azure Active Directory. See [Configure device settings](https://docs.microsoft.com/azure/active-directory/device-management-azure-portal#configure-device-settings) in the Azure Active Directory documentation for more information. -- Create an Autopilot profile for user-driven mode with the desired settings. In Microsoft Intune, this mode is explicitly chosen when creating the profile. With Microsoft Store for Business and Partner Center, user-driven mode is the default and does not need to be selected. -- If using Intune, create a device group in Azure Active Directory and assign the Autopilot profile to that group. - -For each machine that will be deployed using user-driven deployment, these additional steps are needed: - -- Ensure that the device has been added to Windows Autopilot. This can be done automatically by an OEM or partner at the time the device is purchased, or it can be done through a manual harvesting process later. See [Adding devices to Windows Autopilot](add-devices.md) for more information. -- Ensure an Autopilot profile has been assigned to the device: - - If using Intune and Azure Active Directory dynamic device groups, this can be done automatically. - - If using Intune and Azure Active Directory static device groups, manually add the device to the device group. - - If using other methods (e.g. Microsoft Store for Business or Partner Center), manually assign an Autopilot profile to the device. +- [Azure Active Directory join](user-driven-aad.md) is available if devices do not need to be joined to an on-prem Active Directory domain. +- [Hybrid Azure Active Directory join](user-driven-hybrid.md) is available for devices that must be joined to both Azure Active Directory and your on-prem Active Directory domain. ## Validation diff --git a/windows/deployment/windows-autopilot/windows-10-autopilot.md b/windows/deployment/windows-autopilot/windows-10-autopilot.md index 9611b51a68..6b988faa67 100644 --- a/windows/deployment/windows-autopilot/windows-10-autopilot.md +++ b/windows/deployment/windows-autopilot/windows-10-autopilot.md @@ -51,8 +51,8 @@ The Windows Autopilot Deployment Program enables you to: ##### Prerequisites - >[!NOTE] - >Today, Windows Autopilot user-driven mode supports joining devices to Azure Active Directory. Support for Hybrid Azure Active Directory Join (with devices joined to an on-premises Active Directory domain) will be available in a future Windows 10 release. See [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction) for more information about the differences between these two join options. +>[!NOTE] +>Today, Windows Autopilot user-driven mode supports joining devices to Azure Active Directory. Support for Hybrid Azure Active Directory Join (with devices joined to an on-premises Active Directory domain) will be available in a future Windows 10 release. See [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction) for more information about the differences between these two join options. * [Devices must be registered to the organization](#device-registration-and-oobe-customization) * [Company branding needs to be configured](#configure-company-branding-for-oobe) @@ -126,7 +126,7 @@ To manage devices behind firewalls and proxy servers, the following URLs need to >Where not explicitly specified, both HTTPS (443) and HTTP (80) need to be accessible. >[!TIP] ->If you're auto-enrolling your devices into Microsoft Intune, or deploying Microsoft Office, make sure you follow the networking guidlines for [Microsoft Intune](https://docs.microsoft.com/intune/network-bandwidth-use#network-communication-requirements) and [Office 365](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2). +>If you're auto-enrolling your devices into Microsoft Intune, or deploying Microsoft Office, make sure you follow the networking guidelines for [Microsoft Intune](https://docs.microsoft.com/intune/network-bandwidth-use#network-communication-requirements) and [Office 365](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2). ### IT-Driven diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements-licensing.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements-licensing.md index b6b1551f62..2b9a7d76f8 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-requirements-licensing.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements-licensing.md @@ -12,7 +12,7 @@ ms.author: greg-lindsay ms.date: 10/02/2018 ms.author: greg-lindsay ms.date: 10/02/2018 - +--- # Windows Autopilot licensing requirements **Applies to: Windows 10** diff --git a/windows/privacy/TOC.md b/windows/privacy/TOC.md index a229e2df1a..5a0db3b73e 100644 --- a/windows/privacy/TOC.md +++ b/windows/privacy/TOC.md @@ -1,6 +1,6 @@ # [Privacy](index.yml) ## [Beginning your General Data Protection Regulation (GDPR) journey for Windows 10](gdpr-win10-whitepaper.md) -## [Windows 10 and the GDPR for IT Decision Makers](gdpr-it-guidance.md) +## [Windows and the GDPR: Information for IT Administrators and Decision Makers](gdpr-it-guidance.md) ## [Windows 10 personal data services configuration](windows-personal-data-services-configuration.md) ## [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) ## [Diagnostic Data Viewer Overview](diagnostic-data-viewer-overview.md) @@ -14,7 +14,10 @@ ## Full level categories ### [Windows 10, version 1709 and newer diagnostic data for the Full level](windows-diagnostic-data.md) ### [Windows 10, version 1703 diagnostic data for the Full level](windows-diagnostic-data-1703.md) -## [Manage Windows 10 connection endpoints](manage-windows-endpoints.md) +## Manage Windows 10 connection endpoints +### [Connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md) +### [Connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md) +### [Connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md) ### [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md) ### [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md) ## [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index dce0c91085..22aa33e4b3 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -9,7 +9,7 @@ ms.pagetype: security localizationpriority: high author: brianlic-msft ms.author: brianlic -ms.date: 09/10/2018 +ms.date: 11/07/2018 --- @@ -28,6 +28,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th You can learn more about Windows functional and diagnostic data through these articles: + - [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) - [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) - [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) @@ -60,15 +61,15 @@ The following fields are available: - **DecisionMatchingInfoPostUpgrade_RS3** The total DecisionMatchingInfoPostUpgrade objects targeting the next release of Windows on this device. - **DecisionMediaCenter_RS3** The total DecisionMediaCenter objects targeting the next release of Windows on this device. - **DecisionSystemBios_RS3** The total DecisionSystemBios objects targeting the next release of Windows on this device. -- **InventoryLanguagePack** The count of DecisionApplicationFile objects present on this machine targeting the next release of Windows -- **InventorySystemBios** The count of DecisionDevicePnp objects present on this machine targeting the next release of Windows -- **PCFP** The count of DecisionDriverPackage objects present on this machine targeting the next release of Windows -- **SystemProcessorCompareExchange** The count of DecisionMatchingInfoBlock objects present on this machine targeting the next release of Windows -- **SystemProcessorNx** The count of DataSourceMatchingInfoPostUpgrade objects present on this machine targeting the next release of Windows -- **SystemProcessorSse2** The count of DecisionMatchingInfoPostUpgrade objects present on this machine targeting the next release of Windows -- **SystemWim** The count of DecisionMediaCenter objects present on this machine targeting the next release of Windows -- **SystemWindowsActivationStatus** The count of DecisionSystemBios objects present on this machine targeting the next release of Windows -- **SystemWlan** The count of InventoryApplicationFile objects present on this machine. +- **InventoryLanguagePack** The total InventoryLanguagePack objects that are present on this device. +- **InventorySystemBios** The total InventorySystemBios objects that are present on this device. +- **PCFP** An ID for the system that is calculated by hashing hardware identifiers. +- **SystemProcessorCompareExchange** The total SystemProcessorCompareExchange objects that are present on this device. +- **SystemProcessorNx** The total SystemProcessorNx objects that are present on this device. +- **SystemProcessorSse2** The total SystemProcessorSse2 objects that are present on this device. +- **SystemWim** The total SystemWim objects that are present on this device +- **SystemWindowsActivationStatus** The total SystemWindowsActivationStatus objects that are present on this device. +- **SystemWlan** The total SystemWlan objects that are present on this device. - **Wmdrm_RS3** The total Wmdrm objects targeting the next release of Windows on this device. @@ -1472,6 +1473,12 @@ The following fields are available: - **SocketCount** Number of physical CPU sockets of the machine. +### Census.Security + +Provides information on several important data points about security settings. + + + ### Census.Speech This event is used to gather basic speech settings on the device. @@ -2058,6 +2065,23 @@ The following fields are available: - **devinv.dll** The file version of the Device inventory component. +### Microsoft.Windows.Inventory.Core.FileSigningInfoAdd + +This event enumerates the signatures of files, either driver packages or application executables. For driver packages, this data is collected on demand via Telecommand to limit it only to unrecognized driver packages, saving time for the client and space on the server. For applications, this data is collected for up to 10 random executables on a system. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **CatalogSigners** Signers from catalog. Each signer starts with Chain. +- **DriverPackageStrongName** Optional. Available only if FileSigningInfo is collected on a driver package. +- **EmbeddedSigners** Embedded signers. Each signer starts with Chain. +- **FileName** The file name of the file whose signatures are listed. +- **FileType** Either exe or sys, depending on if a driver package or application executable. +- **InventoryVersion** The version of the inventory file generating the events. +- **Thumbprint** Comma separated hash of the leaf node of each signer. Semicolon is used to separate CatalogSigners from EmbeddedSigners. There will always be a trailing comma. + + ### Microsoft.Windows.Inventory.Core.InventoryApplicationAdd This event sends basic metadata about an application on the system to help keep Windows up to date. @@ -2251,7 +2275,7 @@ The following fields are available: - **Enumerator** The bus that enumerated the device - **HWID** A JSON array that provides the value and order of the HWID tree for the device. See [HWID](#hwid). - **Inf** The INF file name. -- **InstallState** The device installation state. One of these values: https://msdn.microsoft.com/library/windows/hardware/ff543130.aspx +- **InstallState** The device installation state. One of these values: https://msdn.microsoft.com/en-us/library/windows/hardware/ff543130.aspx - **InventoryVersion** The version of the inventory file generating the events. - **LowerClassFilters** Lower filter class drivers IDs installed for the device. - **LowerFilters** Lower filter drivers IDs installed for the device @@ -2379,6 +2403,90 @@ The following fields are available: - **InventoryVersion** The version of the inventory file generating the events. +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInAdd + +Invalid variant - Provides data on the installed Office Add-ins + + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInRemove + +Indicates that this particular data object represented by the objectInstanceId is no longer present. + + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInStartSync + +This event indicates that a new sync is being generated for this object type. + + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersAdd + +Provides data on the Office identifiers. + + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersStartSync + +Diagnostic event to indicate a new sync is being generated for this object type. + + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsAdd + +Provides data on Office-related Internet Explorer features. + + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsStartSync + +Diagnostic event to indicate a new sync is being generated for this object type. + + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsAdd + +This event provides insight data on the installed Office products + + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsAdd + +Describes Office Products installed. + + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsStartSync + +Diagnostic event to indicate a new sync is being generated for this object type. + + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsAdd + +This event describes various Office settings + + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsStartSync + +Indicates a new sync is being generated for this object type. + + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoAdd + +Provides data on Unified Update Platform (UUP) products and what version they are at. + + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoStartSync + +Diagnostic event to indicate a new sync is being generated for this object type. + + + ### Microsoft.Windows.Inventory.Indicators.Checksum This event summarizes the counts for the InventoryMiscellaneousUexIndicatorAdd events. @@ -2546,14 +2654,14 @@ The following fields are available: - **AppVersion** The version of the app. - **BuildArch** Is the architecture x86 or x64? - **Environment** Is the device on the production or int service? -- **IsMSFTInternal** Is this an internal Microsoft device? -- **MachineGuid** The CEIP machine ID. +- **IsMSFTInternal** TRUE if the device is an internal Microsoft device. +- **MachineGuid** The GUID (Globally Unique ID) that identifies the machine for the CEIP (Customer Experience Improvement Program). - **Market** Which market is this in? - **OfficeVersion** The version of Office that is installed. - **OneDriveDeviceId** The OneDrive device ID. - **OSDeviceName** Only if the device is internal to Microsoft, the device name. - **OSUserName** Only if the device is internal to Microsoft, the user name. -- **UserGuid** A unique global user identifier. +- **UserGuid** The GUID (Globally Unique ID) of the user currently logged in. ### Microsoft.OneDrive.Sync.Updater.ComponentInstallState @@ -2605,12 +2713,12 @@ The following fields are available: ### Microsoft.OneDrive.Sync.Updater.UpdateOverallResult -This event determines the outcome of the operation. +This event sends information describing the result of the update. The following fields are available: - **hr** The HResult of the operation. -- **IsLoggingEnabled** Is logging enabled? +- **IsLoggingEnabled** Indicates whether logging is enabled for the updater. - **UpdaterVersion** The version of the updater. @@ -2642,11 +2750,48 @@ The following fields are available: - **winInetError** The HResult of the operation. +## Other events + +### Microsoft.Xbox.XamTelemetry.AppActivationError + +This event indicates whether the system detected an activation error in the app. + +The following fields are available: + +- **ActivationUri** Activation URI (Uniform Resource Identifier) used in the attempt to activate the app. +- **AppId** The Xbox LIVE Title ID. +- **AppUserModelId** The AUMID (Application User Model ID) of the app to activate. +- **Result** The HResult error. +- **UserId** The Xbox LIVE User ID (XUID). + + +### Microsoft.Xbox.XamTelemetry.AppActivity + +This event is triggered whenever the current app state is changed by: launch, switch, terminate, snap, etc. + +The following fields are available: + +- **AppActionId** The ID of the application action. +- **AppCurrentVisibilityState** The ID of the current application visibility state. +- **AppId** The Xbox LIVE Title ID of the app. +- **AppPackageFullName** The full name of the application package. +- **AppPreviousVisibilityState** The ID of the previous application visibility state. +- **AppSessionId** The application session ID. +- **AppType** The type ID of the application (AppType_NotKnown, AppType_Era, AppType_Sra, AppType_Uwa). +- **BCACode** The BCA (Burst Cutting Area) mark code of the optical disc used to launch the application. +- **DurationMs** The amount of time (in milliseconds) since the last application state transition. +- **IsTrialLicense** This boolean value is TRUE if the application is on a trial license. +- **LicenseType** The type of licensed used to authorize the app (0 - Unknown, 1 - User, 2 - Subscription, 3 - Offline, 4 - Disc). +- **LicenseXuid** If the license type is 1 (User), this field contains the XUID (Xbox User ID) of the registered owner of the license. +- **ProductGuid** The Xbox product GUID (Globally-Unique ID) of the application. +- **UserId** The XUID (Xbox User ID) of the current user. + + ## Remediation events ### Microsoft.Windows.Remediation.Applicable -This event indicates a remedial plug-in is applicable if/when such a plug-in is detected. This is used to ensure Windows is up to date. +This event sends simple device connectivity and configuration data about an application installed on the system that helps keep the Windows Update stack healthy. The following fields are available: @@ -2669,7 +2814,7 @@ The following fields are available: - **HResult** The HRESULT for detection or perform action phases of the plugin. - **IsAppraiserLatestResult** The HRESULT from the appraiser task. - **IsConfigurationCorrected** Indicates whether the configuration of SIH task was successfully corrected. -- **LastHresult** The HRESULT for detection or perform action phases of the plugin. +- **LastHresult** The HResult of the operation. - **LastRun** The date of the most recent SIH run. - **NextRun** Date of the next scheduled SIH run. - **PackageVersion** The version of the current remediation package. @@ -2730,7 +2875,7 @@ The following fields are available: ### Microsoft.Windows.Remediation.Completed -This event enables completion tracking of a process that remediates issues preventing security and quality updates. +This event sends simple device connectivity and configuration data about an application installed on the system that helps keep the Windows Update stack healthy. The following fields are available: @@ -2807,7 +2952,7 @@ The following fields are available: - **usoScanIsNoAutoUpdateKeyPresent** TRUE if no Auto Update registry key is set/present. - **usoScanIsUserLoggedOn** TRUE if the user is logged on. - **usoScanPastThreshold** TRUE if the most recent USO (Update Session Orchestrator) scan is past the threshold (late). -- **usoScanType** The type of USO (Update Session Orchestrator) scan (Interactive or Background). +- **usoScanType** The type of USO (Update Session Orchestrator) scan: "Interactive" or "Background". - **WindowsHyberFilSysSizeInMegabytes** The size of the Windows Hibernation file, measured in Megabytes. - **WindowsInstallerFolderSizeInMegabytes** The size of the Windows Installer folder, measured in Megabytes. - **WindowsOldFolderSizeInMegabytes** The size of the Windows.OLD folder, measured in Megabytes. @@ -2819,156 +2964,17 @@ The following fields are available: - **WindowsSxsTempFolderSizeInMegabytes** The size of the WinSxS (Windows Side-by-Side) Temp folder, measured in Megabytes. -### Microsoft.Windows.Remediation.DiskCleanUnExpectedErrorEvent - -This event indicates that an unexpected error occurred during an update and provides information to help address the issue. - -The following fields are available: - -- **CV** The Correlation vector. -- **ErrorMessage** A description of any errors encountered while the plug-in was running. -- **GlobalEventCounter** The client-side counter that indicates ordering of events. -- **Hresult** The result of the event execution. -- **PackageVersion** The version number of the current remediation package. -- **SessionGuid** GUID associated with a given execution of sediment pack. - - -### Microsoft.Windows.Remediation.Error - -This event indicates a Sediment Pack error (update stack failure) has been detected and provides information to help address the issue. - -The following fields are available: - -- **HResult** The result of the event execution. -- **Message** A message containing information about the error that occurred. -- **PackageVersion** The version number of the current remediation package. - - -### Microsoft.Windows.Remediation.FallbackError - -This event indicates an error when Self Update results in a Fallback and provides information to help address the issue. - -The following fields are available: - -- **s0** Indicates the Fallback error level. See [Microsoft.Windows.Remediation.wilResult](#microsoftwindowsremediationwilresult). -- **wilResult** The result of the Windows Installer Logging. See [wilResult](#wilresult). - - -### Microsoft.Windows.Remediation.RemediationNotifyUserFixIssuesInvokeUIEvent - -This event occurs when the Notify User task executes and provides information about the cause of the notification. - -The following fields are available: - -- **CV** The Correlation vector. -- **GlobalEventCounter** The client-side counter that indicates ordering of events. -- **PackageVersion** The version number of the current remediation package. -- **RemediationNotifyUserFixIssuesCallResult** The result of calling the USO (Update Session Orchestrator) sequence steps. -- **RemediationNotifyUserFixIssuesUsoDownloadCalledHr** The error code from the USO (Update Session Orchestrator) download call. -- **RemediationNotifyUserFixIssuesUsoInitializedHr** The error code from the USO (Update Session Orchestrator) initialize call. -- **RemediationNotifyUserFixIssuesUsoProxyBlanketHr** The error code from the USO (Update Session Orchestrator) proxy blanket call. -- **RemediationNotifyUserFixIssuesUsoSetSessionHr** The error code from the USO (Update Session Orchestrator) session call. - - -### Microsoft.Windows.Remediation.RemediationShellFailedAutomaticAppUpdateModifyEventId - -This event provides the modification of the date on which an Automatic App Update scheduled task failed and provides information about the failure. - -The following fields are available: - -- **CV** The Correlation Vector. -- **GlobalEventCounter** The client-side counter that indicates ordering of events. -- **hResult** The result of the event execution. -- **PackageVersion** The version number of the current remediation package. - - -### Microsoft.Windows.Remediation.RemediationShellUnexpectedExceptionId - -This event identifies the remediation plug-in that returned an unexpected exception and provides information about the exception. - -The following fields are available: - -- **CV** The Correlation Vector. -- **GlobalEventCounter** The client-side counter that indicates ordering of events. -- **PackageVersion** The version number of the current remediation package. -- **RemediationShellUnexpectedExceptionId** The ID of the remediation plug-in that caused the exception. - - -### Microsoft.Windows.Remediation.RemediationUHEnableServiceFailed - -This event tracks the health of key update (Remediation) services and whether they are enabled. - -The following fields are available: - -- **CV** The Correlation Vector. -- **GlobalEventCounter** The client-side counter that indicates ordering of events. -- **hResult** The result of the event execution. -- **PackageVersion** The version number of the current remediation package. -- **serviceName** The name associated with the operation. - - -### Microsoft.Windows.Remediation.RemediationUpgradeSucceededDataEventId - -This event returns information about the upgrade upon success to help ensure Windows is up to date. - -The following fields are available: - -- **AppraiserPlugin** TRUE / FALSE depending on whether the Appraiser plug-in task fix was successful. -- **ClearAUOptionsPlugin** TRUE / FALSE depending on whether the AU (Auto Updater) Options registry keys were successfully deleted. -- **CV** The Correlation Vector. -- **DatetimeSyncPlugin** TRUE / FALSE depending on whether the DateTimeSync plug-in ran successfully. -- **DiskCleanupPlugin** TRUE / FALSE depending on whether the DiskCleanup plug-in ran successfully. -- **GlobalEventCounter** The client-side counter that indicates ordering of events. -- **NoisyHammerPlugin** TRUE / FALSE depending on whether the NoisyHammer plug-in ran successfully. -- **PackageVersion** The version number of the current remediation package. -- **RebootRequiredPlugin** TRUE / FALSE depending on whether the Reboot plug-in ran successfully. -- **RemediationNotifyUserFixIssuesPlugin** TRUE / FALSE depending on whether the User Fix Issues plug-in ran successfully -- **RemediationPostUpgradeDiskSpace** The amount of disk space available after the upgrade. -- **RemediationPostUpgradeHibernationSize** The size of the Hibernation file after the upgrade. -- **ServiceHealthPlugin** A list of services updated by the plug-in. -- **SIHHealthPlugin** TRUE / FALSE depending on whether the SIH Health plug-in ran successfully. -- **StackDataResetPlugin** TRUE / FALSE depending on whether the update stack completed successfully. -- **TaskHealthPlugin** A list of tasks updated by the plug-in. -- **UpdateApplicabilityFixerPlugin** TRUE / FALSE depending on whether the update applicability fixer plug-in completed successfully. -- **WindowsUpdateEndpointPlugin** TRUE / FALSE depending on whether the Windows Update Endpoint was successful. - - ### Microsoft.Windows.Remediation.Started -This event reports whether a plug-in started, to help ensure Windows is up to date. +This event sends simple device connectivity and configuration data about an application installed on the system that helps keep the Windows Update stack healthy. The following fields are available: -- **CV** The Correlation Vector. -- **GlobalEventCounter** The client-side counter that indicates ordering of events. -- **PackageVersion** The version number of the current remediation package. -- **PluginName** The name of the plug-in specified for each generic plug-in event. -- **Result** The HRESULT for Detection or Perform Action phases of the plug-in. - - -### Microsoft.Windows.Remediation.wilResult - -This event provides Self Update information to help keep Windows up to date. - -The following fields are available: - -- **callContext** A list of diagnostic activities containing this error. -- **currentContextId** An identifier for the newest diagnostic activity containing this error. -- **currentContextMessage** A message associated with the most recent diagnostic activity containing this error (if any). -- **currentContextName** Name of the most recent diagnostic activity containing this error. -- **failureCount** Number of failures seen within the binary where the error occurred. -- **failureId** The identifier assigned to this failure. -- **failureType** Indicates the type of failure observed (exception, returned, error, logged error, or fail fast). -- **fileName** The source code file name where the error occurred. -- **function** The name of the function where the error occurred. -- **hresult** The failure error code. -- **lineNumber** The Line Number within the source code file where the error occurred. -- **message** A message associated with the failure (if any). -- **module** The name of the binary module in which the error occurred. -- **originatingContextId** The identifier for the oldest diagnostic activity containing this error. -- **originatingContextMessage** A message associated with the oldest diagnostic activity containing this error (if any). -- **originatingContextName** The name of the oldest diagnostic activity containing this error. -- **threadId** The identifier of the thread the error occurred on. +- **CV** Correlation vector. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **PackageVersion** Current package version of Remediation. +- **PluginName** Name of the plugin specified for each generic plugin event. +- **Result** This is the HRESULT for detection or perform action phases of the plugin. ## Sediment events @@ -3320,15 +3326,17 @@ The following fields are available: - **Time** The system time at which the event occurred. +## Sediment Launcher events + ### Microsoft.Windows.SedimentLauncher.Applicable -Indicates whether a given plugin is applicable. +This event sends simple device connectivity and configuration data about an application installed on the system that helps keep the Windows Update stack healthy. The following fields are available: - **CV** Correlation vector. - **DetectedCondition** Boolean true if detect condition is true and perform action will be run. -- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **GlobalEventCounter** Client side counter which indicates ordering of events. - **IsSelfUpdateEnabledInOneSettings** True if self update enabled in Settings. - **IsSelfUpdateNeeded** True if self update needed by device. - **PackageVersion** Current package version of Remediation. @@ -3338,97 +3346,43 @@ The following fields are available: ### Microsoft.Windows.SedimentLauncher.Completed -Indicates whether a given plugin has completed its work. +This event sends simple device connectivity and configuration data about an application installed on the system that helps keep the Windows Update stack healthy. The following fields are available: - **CV** Correlation vector. - **FailedReasons** Concatenated list of failure reasons. -- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **GlobalEventCounter** Client side counter which indicates ordering of events. - **PackageVersion** Current package version of Remediation. - **PluginName** Name of the plugin specified for each generic plugin event. - **Result** This is the HRESULT for detection or perform action phases of the plugin. - **SedLauncherExecutionResult** HRESULT for one execution of the Sediment Launcher. -### Microsoft.Windows.SedimentLauncher.Error - -This event indicates an error occurred during the execution of the plug-in. The information provided helps ensure future upgrade/update attempts are more successful. - -The following fields are available: - -- **HResult** The result for the Detection or Perform Action phases of the plug-in. -- **Message** A message containing information about the error that occurred (if any). -- **PackageVersion** The version number of the current remediation package. - - -### Microsoft.Windows.SedimentLauncher.FallbackError - -This event indicates that an error occurred during execution of the plug-in fallback. - -The following fields are available: - -- **s0** Error occurred during execution of the plugin fallback. See [Microsoft.Windows.SedimentLauncher.wilResult](#microsoftwindowssedimentlauncherwilresult). - - -### Microsoft.Windows.SedimentLauncher.Information - -This event provides general information returned from the plug-in. - -The following fields are available: - -- **HResult** This is the HRESULT for detection or perform action phases of the plugin. -- **Message** Information message returned from a plugin containing only information internal to the plugins execution. -- **PackageVersion** Current package version of Remediation. - - ### Microsoft.Windows.SedimentLauncher.Started -This event indicates that a given plug-in has started. +This event sends simple device connectivity and configuration data about an application installed on the system that helps keep the Windows Update stack healthy. The following fields are available: - **CV** Correlation vector. -- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **GlobalEventCounter** Client side counter which indicates ordering of events. - **PackageVersion** Current package version of Remediation. - **PluginName** Name of the plugin specified for each generic plugin event. - **Result** This is the HRESULT for detection or perform action phases of the plugin. -### Microsoft.Windows.SedimentLauncher.wilResult - -This event provides the result from the Windows internal library. - -The following fields are available: - -- **callContext** List of telemetry activities containing this error. -- **currentContextId** Identifier for the newest telemetry activity containing this error. -- **currentContextMessage** Custom message associated with the newest telemetry activity containing this error (if any). -- **currentContextName** Name of the newest telemetry activity containing this error. -- **failureCount** Number of failures seen within the binary where the error occurred. -- **failureId** Identifier assigned to this failure. -- **failureType** Indicates what type of failure was observed (exception, returned error, logged error or fail fast). -- **fileName** Source code file name where the error occurred. -- **function** Name of the function where the error occurred. -- **hresult** Failure error code. -- **lineNumber** Line number within the source code file where the error occurred. -- **message** Custom message associated with the failure (if any). -- **module** Name of the binary where the error occurred. -- **originatingContextId** Identifier for the oldest telemetry activity containing this error. -- **originatingContextMessage** Custom message associated with the oldest telemetry activity containing this error (if any). -- **originatingContextName** Name of the oldest telemetry activity containing this error. -- **threadId** Identifier of the thread the error occurred on. - +## Sediment Service events ### Microsoft.Windows.SedimentService.Applicable -This event indicates whether a given plug-in is applicable. +This event sends simple device connectivity and configuration data about a service on the system that helps keep Windows up to date. The following fields are available: - **CV** Correlation vector. - **DetectedCondition** Determine whether action needs to run based on device properties. -- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **GlobalEventCounter** Client side counter which indicates ordering of events. - **IsSelfUpdateEnabledInOneSettings** Indicates if self update is enabled in One Settings. - **IsSelfUpdateNeeded** Indicates if self update is needed. - **PackageVersion** Current package version of Remediation. @@ -3438,13 +3392,13 @@ The following fields are available: ### Microsoft.Windows.SedimentService.Completed -This event indicates whether a given plug-in has completed its work. +This event sends simple device connectivity and configuration data about a service on the system that helps keep Windows up to date. The following fields are available: - **CV** Correlation vector. - **FailedReasons** List of reasons when the plugin action failed. -- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **GlobalEventCounter** Client side counter which indicates ordering of events. - **PackageVersion** Current package version of Remediation. - **PluginName** Name of the plugin specified for each generic plugin event. - **Result** This is the HRESULT for detection or perform action phases of the plugin. @@ -3458,40 +3412,9 @@ The following fields are available: - **SedimentServiceTotalIterations** Number of 5 second iterations service will wait before running again. -### Microsoft.Windows.SedimentService.Error - -This event indicates whether an error condition occurred in the plug-in. - -The following fields are available: - -- **HResult** This is the HRESULT for detection or perform action phases of the plugin. -- **Message** Custom message associated with the failure (if any). -- **PackageVersion** Current package version of Remediation. - - -### Microsoft.Windows.SedimentService.FallbackError - -This event indicates whether an error occurred for a fallback in the plug-in. - -The following fields are available: - -- **s0** Event returned when an error occurs for a fallback in the plugin. See [Microsoft.Windows.SedimentService.wilResult](#microsoftwindowssedimentservicewilresult). - - -### Microsoft.Windows.SedimentService.Information - -This event provides general information returned from the plug-in. - -The following fields are available: - -- **HResult** This is the HRESULT for detection or perform action phases of the plugin. -- **Message** Custom message associated with the failure (if any). -- **PackageVersion** Current package version of Remediation. - - ### Microsoft.Windows.SedimentService.Started -This event indicates a specified plug-in has started. This information helps ensure Windows is up to date. +This event sends simple device connectivity and configuration data about a service on the system that helps keep Windows up to date. The following fields are available: @@ -3502,31 +3425,6 @@ The following fields are available: - **Result** This is the HRESULT for Detection or Perform Action phases of the plugin. -### Microsoft.Windows.SedimentService.wilResult - -This event provides the result from the Windows internal library. - -The following fields are available: - -- **callContext** List of telemetry activities containing this error. -- **currentContextId** Identifier for the newest telemetry activity containing this error. -- **currentContextMessage** Custom message associated with the newest telemetry activity containing this error (if any). -- **currentContextName** Name of the newest telemetry activity containing this error. -- **failureCount** Number of failures seen within the binary where the error occurred. -- **failureId** Identifier assigned to this failure. -- **failureType** Indicates what type of failure was observed (exception, returned error, logged error or fail fast). -- **fileName** Source code file name where the error occurred. -- **function** Name of the function where the error occurred. -- **hresult** Failure error code. -- **lineNumber** Line number within the source code file where the error occurred. -- **message** Custom message associated with the failure (if any). -- **module** Name of the binary where the error occurred. -- **originatingContextId** Identifier for the oldest telemetry activity containing this error. -- **originatingContextMessage** Custom message associated with the oldest telemetry activity containing this error (if any). -- **originatingContextName** Name of the oldest telemetry activity containing this error. -- **threadId** Identifier of the thread the error occurred on. - - ## Setup events ### SetupPlatformTel.SetupPlatformTelActivityEvent @@ -3821,7 +3719,7 @@ The following fields are available: - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one - **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to download. - **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.). +- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.). - **Setup360Phase** If the download is for an operating system upgrade, this datapoint indicates which phase of the upgrade is underway. - **ShippingMobileOperator** The mobile operator that a device shipped on. - **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult). @@ -4118,6 +4016,22 @@ The following fields are available: - **UpdateId** Unique ID for each update. +### Update360Telemetry.UpdateAgent_FellBackToCanonical + +This event collects information when Express could not be used, and the update had to fall back to “canonical” during the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. + +The following fields are available: + +- **FlightId** Unique ID for the flight (test instance version). +- **ObjectId** The unique value for each Update Agent mode. +- **PackageCount** The number of packages that fell back to “canonical”. +- **PackageList** PackageIDs which fell back to “canonical”. +- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. +- **ScenarioId** The ID of the update scenario. +- **SessionId** The ID of the update attempt. +- **UpdateId** The ID of the update. + + ### Update360Telemetry.UpdateAgent_Initialize This event sends data during the initialize phase of updating Windows. @@ -4152,6 +4066,22 @@ The following fields are available: - **UpdateId** Unique ID for each update. +### Update360Telemetry.UpdateAgent_Merge + +This event sends data on the merge phase when updating Windows. + +The following fields are available: + +- **ErrorCode** The error code returned for the current reboot. +- **FlightId** Unique ID for the flight (test instance version). +- **ObjectId** The unique value for each Update Agent mode. +- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. +- **Result** The HResult of the event. +- **ScenarioId** The ID of the update scenario. +- **SessionId** The ID of the update attempt. +- **UpdateId** The ID of the update. + + ### Update360Telemetry.UpdateAgent_ModeStart This event sends data for the start of each mode during the process of updating Windows. @@ -4184,6 +4114,130 @@ The following fields are available: - **UpdateId** Unique ID for each update. +### Update360Telemetry.UpdateAgentDownloadRequest + +This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to PC and Mobile. + +The following fields are available: + +- **DeletedCorruptFiles** Boolean indicating whether corrupt payload was deleted. +- **DownloadRequests** Number of times a download was retried. +- **ErrorCode** The error code returned for the current download request phase. +- **ExtensionName** Indicates whether the payload is related to Operating System content or a plugin. +- **FlightId** Unique ID for each flight. +- **InternalFailureResult** Indicates a non-fatal error from a plugin. +- **ObjectId** Unique value for each Update Agent mode (same concept as InstanceId for Setup360). +- **PackageCountOptional** # of optional packages requested. +- **PackageCountRequired** # of required packages requested. +- **PackageCountTotal** Total # of packages needed. +- **PackageCountTotalCanonical** Total number of canonical packages. +- **PackageCountTotalDiff** Total number of diff packages. +- **PackageCountTotalExpress** Total number of express packages. +- **PackageExpressType** Type of express package. +- **PackageSizeCanonical** Size of canonical packages in bytes. +- **PackageSizeDiff** Size of diff packages in bytes. +- **PackageSizeExpress** Size of express packages in bytes. +- **RangeRequestState** Indicates the range request type used. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** Outcome of the download request phase of update. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each attempt (same value for initialize, download, install commit phases). +- **UpdateId** Unique ID for each Update. + + +### Update360Telemetry.UpdateAgentInitialize + +This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario, which is applicable to both PCs and Mobile. + +The following fields are available: + +- **ErrorCode** The error code returned for the current install phase. +- **FlightId** Unique ID for each flight. +- **FlightMetadata** Contains the FlightId and the build being flighted. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** Outcome of the install phase of the update. +- **ScenarioId** Indicates the update scenario. +- **SessionData** String containing instructions to update agent for processing FODs and DUICs (Null for other scenarios). +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentMitigationResult + +This event sends data indicating the result of each update agent mitigation. + +The following fields are available: + +- **Applicable** Indicates whether the mitigation is applicable for the current update. +- **CommandCount** The number of command operations in the mitigation entry. +- **CustomCount** The number of custom operations in the mitigation entry. +- **FileCount** The number of file operations in the mitigation entry. +- **FlightId** Unique identifier for each flight. +- **Index** The mitigation index of this particular mitigation. +- **MitigationScenario** The update scenario in which the mitigation was executed. +- **Name** The friendly name of the mitigation. +- **ObjectId** Unique value for each Update Agent mode. +- **OperationIndex** The mitigation operation index (in the event of a failure). +- **OperationName** The friendly name of the mitigation operation (in the event of failure). +- **RegistryCount** The number of registry operations in the mitigation entry. +- **RelatedCV** The correlation vector value generated from the latest USO scan. +- **Result** The HResult of this operation. +- **ScenarioId** The update agent scenario ID. +- **SessionId** Unique value for each update attempt. +- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments). +- **UpdateId** Unique ID for each Update. + + +### Update360Telemetry.UpdateAgentMitigationSummary + +This event sends a summary of all the update agent mitigations available for an this update. + + + +### Update360Telemetry.UpdateAgentModeStart + +This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to both PCs and Mobile. + +The following fields are available: + +- **FlightId** Unique ID for each flight. +- **Mode** Indicates the mode that has started. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. +- **Version** Version of update + + +### Update360Telemetry.UpdateAgentOneSettings + +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. + + + +### Update360Telemetry.UpdateAgentSetupBoxLaunch + +The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. This event is only applicable to PCs. + +The following fields are available: + +- **ContainsExpressPackage** Indicates whether the download package is express. +- **FlightId** Unique ID for each flight. +- **FreeSpace** Free space on OS partition. +- **InstallCount** Number of install attempts using the same sandbox. +- **ObjectId** Unique value for each Update Agent mode. +- **Quiet** Indicates whether setup is running in quiet mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **SandboxSize** Size of the sandbox. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **SetupMode** Mode of setup to be launched. +- **UpdateId** Unique ID for each Update. +- **UserSession** Indicates whether install was invoked by user actions. + + ## Upgrade events ### Setup360Telemetry.Downlevel @@ -4242,9 +4296,9 @@ The following fields are available: - **Setup360Extended** Detailed information about the phase or action when the potential failure occurred. - **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. - **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. -- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. - **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). -- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled - **TestId** ID that uniquely identifies a group of events. - **WuId** Windows Update client ID. @@ -4375,6 +4429,24 @@ This event helps determine whether the device received supplemental content duri +### Setup360Telemetry.Setup360MitigationResult + +This event sends data indicating the result of each setup mitigation. + + + +### Setup360Telemetry.Setup360MitigationSummary + +This event sends a summary of all the setup mitigations available for this update. + + + +### Setup360Telemetry.Setup360OneSettings + +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. + + + ### Setup360Telemetry.UnexpectedEvent This event sends data indicating that the device has invoked the unexpected event phase of the upgrade, to help keep Windows up to date. @@ -4819,11 +4891,11 @@ The following fields are available: - **errorCode** The error code that was returned. - **experimentId** When running a test, this is used to correlate events that are part of the same test. - **fileID** The ID of the file being downloaded. -- **isVpn** Is the device connected to a Virtual Private Network? +- **isVpn** Indicates whether the device is connected to a VPN (Virtual Private Network). - **scenarioID** The ID of the scenario. - **sessionID** The ID of the file download session. - **updateID** The ID of the update being downloaded. -- **usedMemoryStream** Did the download use memory streaming? +- **usedMemoryStream** TRUE if the download is using memory streaming for App downloads. ### Microsoft.OSG.DU.DeliveryOptClient.DownloadCompleted @@ -4862,7 +4934,7 @@ The following fields are available: - **updateID** The ID of the update being downloaded. - **uplinkBps** The maximum measured available upload bandwidth (in bytes per second). - **uplinkUsageBps** The upload speed (in bytes per second). -- **usedMemoryStream** Did the download use memory streaming? +- **usedMemoryStream** TRUE if the download is using memory streaming for App downloads. ### Microsoft.OSG.DU.DeliveryOptClient.DownloadPaused @@ -5146,6 +5218,17 @@ The following fields are available: - **wuDeviceid** The Windows Update device GUID. +### Microsoft.Windows.Update.Orchestrator.DeferRestart + +This event indicates that a restart required for installing updates was postponed. + +The following fields are available: + +- **filteredDeferReason** Applicable filtered reasons why reboot was postponed (such as user active, or low battery). +- **raisedDeferReason** Indicates all potential reasons for postponing restart (such as user active, or low battery). +- **wuDeviceid** Unique device ID used by Windows Update. + + ### Microsoft.Windows.Update.Orchestrator.Detection This event indicates that a scan for a Windows Update occurred. @@ -5192,7 +5275,7 @@ The following fields are available: - **EventPublishedTime** Time when this event was generated. - **flightID** The specific ID of the Windows Insider build. - **revisionNumber** Update revision number. -- **updateId** Unique Windows Update ID. +- **updateId** Unique Update ID. - **updateScenarioType** Update session type. - **UpdateStatus** Last status of update. - **wuDeviceid** Unique Device ID. @@ -5240,6 +5323,30 @@ The following fields are available: - **wuDeviceid** Unique device ID used by Windows Update. +### Microsoft.Windows.Update.Orchestrator.LowUptimes + +This event is sent if a device is identified as not having sufficient uptime to reliably process updates in order to keep secure. + +The following fields are available: + +- **lowUptimeMinHours** Current setting for the minimum number of hours needed to not be considered low uptime. +- **lowUptimeQueryDays** Current setting for the number of recent days to check for uptime. +- **uptimeMinutes** Number of minutes of uptime measured. +- **wuDeviceid** Unique device ID for Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.OneshotUpdateDetection + +This event returns data about scans initiated through settings UI, or background scans that are urgent; to help keep Windows up to date. + +The following fields are available: + +- **externalOneshotupdate** The last time a task-triggered scan was completed. +- **interactiveOneshotupdate** The last time an interactive scan was completed. +- **oldlastscanOneshotupdate** The last time a scan completed successfully. +- **wuDeviceid** The Windows Update Device GUID (Globally-Unique ID). + + ### Microsoft.Windows.Update.Orchestrator.PostInstall This event is sent after a Windows update install completes. @@ -5256,6 +5363,15 @@ The following fields are available: - **wuDeviceid** Unique device ID used by Windows Update. +### Microsoft.Windows.Update.Orchestrator.PreShutdownStart + +This event is generated before the shutdown and commit operations. + +The following fields are available: + +- **wuDeviceid** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. + + ### Microsoft.Windows.Update.Orchestrator.RebootFailed This event sends information about whether an update required a reboot and reasons for failure, to help keep Windows up to date. @@ -5276,6 +5392,18 @@ The following fields are available: - **wuDeviceid** Unique device ID used by Windows Update. +### Microsoft.Windows.Update.Orchestrator.RefreshSettings + +This event sends basic data about the version of upgrade settings applied to the system to help keep Windows up to date. + +The following fields are available: + +- **errorCode** Hex code for the error message, to allow lookup of the specific error. +- **settingsDownloadTime** Timestamp of the last attempt to acquire settings. +- **settingsETag** Version identifier for the settings. +- **wuDeviceid** Unique device ID used by Windows Update. + + ### Microsoft.Windows.Update.Orchestrator.RestoreRebootTask This event sends data indicating that a reboot task is missing unexpectedly on a device and the task is restored because a reboot is still required, to help keep Windows up to date. @@ -5332,6 +5460,32 @@ The following fields are available: - **wuDeviceid** Unique device ID used by Windows Update. +### Microsoft.Windows.Update.Orchestrator.updateSettingsFlushFailed + +This event sends information about an update that encountered problems and was not able to complete. + +The following fields are available: + +- **errorCode** The error code encountered. +- **wuDeviceid** The ID of the device in which the error occurred. + + +### Microsoft.Windows.Update.Orchestrator.UsoSession + +This event represents the state of the USO service at start and completion. + +The following fields are available: + +- **activeSessionid** A unique session GUID. +- **eventScenario** The state of the update action. +- **interactive** Is the USO session interactive? +- **lastErrorcode** The last error that was encountered. +- **lastErrorstate** The state of the update when the last error was encountered. +- **sessionType** A GUID that refers to the update session type. +- **updateScenarioType** A descriptive update session type. +- **wuDeviceid** The Windows Update device GUID. + + ### Microsoft.Windows.Update.UpdateStackServicing.CheckForUpdates This event sends data about the UpdateStackServicing check for updates, to help keep Windows up to date. @@ -5352,6 +5506,28 @@ The following fields are available: - **WUDeviceID** The Windows Update device ID. +### Microsoft.Windows.Update.Ux.MusNotification.EnhancedEngagedRebootUxState + +This event sends information about the configuration of Enhanced Direct-to-Engaged (eDTE), which includes values for the timing of how eDTE will progress through each phase of the reboot. + +The following fields are available: + +- **AcceptAutoModeLimit** The maximum number of days for a device to automatically enter Auto Reboot mode. +- **AutoToAutoFailedLimit** The maximum number of days for Auto Reboot mode to fail before a Reboot Failed dialog will be shown. +- **DeviceLocalTime** The date and time (based on the device date/time settings) the reboot mode changed. +- **EngagedModeLimit** The number of days to switch between DTE (Direct-to-Engaged) dialogs. +- **EnterAutoModeLimit** The maximum number of days a device can enter Auto Reboot mode. +- **ETag** The Entity Tag that represents the OneSettings version. +- **IsForcedEnabled** Identifies whether Forced Reboot mode is enabled for the device. +- **IsUltimateForcedEnabled** Identifies whether Ultimate Forced Reboot mode is enabled for the device. +- **OldestUpdateLocalTime** The date and time (based on the device date/time settings) this update’s reboot began pending. +- **RebootUxState** Identifies the reboot state: Engaged, Auto, Forced, UltimateForced. +- **RebootVersion** The version of the DTE (Direct-to-Engaged). +- **SkipToAutoModeLimit** The maximum number of days to switch to start while in Auto Reboot mode. +- **UpdateId** The ID of the update that is waiting for reboot to finish installation. +- **UpdateRevision** The revision of the update that is waiting for reboot to finish installation. + + ### Microsoft.Windows.Update.Ux.MusNotification.RebootNoLongerNeeded This event is sent when a security update has successfully completed. @@ -5390,7 +5566,7 @@ The following fields are available: ### Microsoft.Windows.Update.Ux.MusUpdateSettings.RebootScheduled -This event sends basic information for scheduling a device restart to install security updates. It's used to help keep Windows up-to-date. +This event sends basic information for scheduling a device restart to install security updates. It's used to help keep Windows up to date. The following fields are available: @@ -5406,6 +5582,14 @@ The following fields are available: - **wuDeviceid** The Windows Update device GUID. +## Windows Update mitigation events + +### Mitigation360Telemetry.MitigationCustom.FixupEditionId + +This event sends data specific to the FixupEditionId mitigation used for OS Updates. + + + ## Winlogon events ### Microsoft.Windows.Security.Winlogon.SetupCompleteLogon diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index f1ca2eae5e..8e49f96e10 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -9,7 +9,7 @@ ms.pagetype: security localizationpriority: high author: brianlic-msft ms.author: brianlic -ms.date: 10/10/2018 +ms.date: 11/07/2018 --- @@ -65,20 +65,20 @@ The following fields are available: - **DecisionSystemBios_RS4** The total DecisionSystemBios objects targeting Windows 10 version, 1803 present on this device. - **DecisionTest_RS1** An ID for the system, calculated by hashing hardware identifiers. - **InventoryApplicationFile** The count of the number of this particular object type present on this device. -- **InventoryLanguagePack** The count of InventoryLanguagePack objects present on this machine. +- **InventoryLanguagePack** The count of the number of this particular object type present on this device. - **InventoryMediaCenter** The count of the number of this particular object type present on this device. - **InventorySystemBios** The count of the number of this particular object type present on this device. - **InventoryTest** The count of the number of this particular object type present on this device. - **InventoryUplevelDriverPackage** The count of the number of this particular object type present on this device. -- **PCFP** An ID for the system, calculated by hashing hardware identifiers. +- **PCFP** The count of the number of this particular object type present on this device. - **SystemMemory** The count of the number of this particular object type present on this device. - **SystemProcessorCompareExchange** The count of the number of this particular object type present on this device. - **SystemProcessorLahfSahf** The count of the number of this particular object type present on this device. - **SystemProcessorNx** The count of the number of this particular object type present on this device. -- **SystemProcessorPrefetchW** The count of SystemProcessorPrefetchW objects present on this machine. -- **SystemProcessorSse2** The count of SystemProcessorSse2 objects present on this machine. +- **SystemProcessorPrefetchW** The count of the number of this particular object type present on this device. +- **SystemProcessorSse2** The count of the number of this particular object type present on this device. - **SystemTouch** The count of the number of this particular object type present on this device. -- **SystemWim** The count of SystemWim objects present on this machine. +- **SystemWim** The count of the number of this particular object type present on this device. - **SystemWindowsActivationStatus** The count of the number of this particular object type present on this device. - **SystemWlan** The count of the number of this particular object type present on this device. - **Wmdrm_RS1** An ID for the system, calculated by hashing hardware identifiers. @@ -1209,6 +1209,23 @@ The following fields are available: - **AppraiserVersion** The version of the Appraiser file that is generating the events. +### Microsoft.Windows.Appraiser.General.SystemWlanAdd + +This event sends data indicating whether the system has WLAN, and if so, whether it uses an emulated driver that could block an upgrade, to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **Blocking** Is the upgrade blocked because of an emulated WLAN driver? +- **HasWlanBlock** Does the emulated WLAN driver have an upgrade block? +- **WlanEmulatedDriver** Does the device have an emulated WLAN driver? +- **WlanExists** Does the device support WLAN at all? +- **WlanModulePresent** Are any WLAN modules present? +- **WlanNativeDriver** Does the device have a non-emulated WLAN driver? + + ### Microsoft.Windows.Appraiser.General.SystemWlanRemove This event indicates that the SystemWlan object is no longer present. @@ -1525,16 +1542,16 @@ The following fields are available: - **KvaShadow** Microcode info of the processor. - **MMSettingOverride** Microcode setting of the processor. - **MMSettingOverrideMask** Microcode setting override of the processor. -- **ProcessorArchitecture** Retrieves the processor architecture of the installed operating system. -- **ProcessorClockSpeed** Clock speed of the processor in MHz. -- **ProcessorCores** Number of logical cores in the processor. -- **ProcessorIdentifier** Processor Identifier of a manufacturer. -- **ProcessorManufacturer** Name of the processor manufacturer. -- **ProcessorModel** Name of the processor model. +- **ProcessorArchitecture** Retrieves the processor architecture of the installed operating system. The complete list of values can be found in DimProcessorArchitecture. +- **ProcessorClockSpeed** Retrieves the clock speed of the processor in MHz. +- **ProcessorCores** Retrieves the number of cores in the processor. +- **ProcessorIdentifier** The processor identifier of a manufacturer. +- **ProcessorManufacturer** Retrieves the name of the processor's manufacturer. +- **ProcessorModel** Retrieves the name of the processor model. - **ProcessorPhysicalCores** Number of physical cores in the processor. -- **ProcessorUpdateRevision** Microcode revision +- **ProcessorUpdateRevision** Retrieves the processor architecture of the installed operating system. - **ProcessorUpdateStatus** Enum value that represents the processor microcode load status -- **SocketCount** Count of CPU sockets. +- **SocketCount** Number of physical CPU sockets of the machine. - **SpeculationControl** If the system has enabled protections needed to validate the speculation control vulnerability. @@ -1545,14 +1562,14 @@ This event provides information on about security settings used to help keep Win The following fields are available: - **AvailableSecurityProperties** This field helps to enumerate and report state on the relevant security properties for Device Guard. -- **CGRunning** Is Credential Guard running? +- **CGRunning** Credential Guard isolates and hardens key system and user secrets against compromise, helping to minimize the impact and breadth of a Pass the Hash style attack in the event that malicious code is already running via a local or network based vector. This field tells if Credential Guard is running. - **DGState** This field summarizes the Device Guard state. -- **HVCIRunning** Is HVCI running? +- **HVCIRunning** Hypervisor Code Integrity (HVCI) enables Device Guard to help protect kernel mode processes and drivers from vulnerability exploits and zero days. HVCI uses the processor’s functionality to force all software running in kernel mode to safely allocate memory. This field tells if HVCI is running. - **IsSawGuest** Indicates whether the device is running as a Secure Admin Workstation Guest. - **IsSawHost** Indicates whether the device is running as a Secure Admin Workstation Host. - **RequiredSecurityProperties** Describes the required security properties to enable virtualization-based security. -- **SecureBootCapable** Is this device capable of running Secure Boot? -- **VBSState** Is virtualization-based security enabled, disabled, or running? +- **SecureBootCapable** Systems that support Secure Boot can have the feature turned off via BIOS. This field tells if the system is capable of running Secure Boot, regardless of the BIOS setting. +- **VBSState** Virtualization-based security (VBS) uses the hypervisor to help protect the kernel and other parts of the operating system. Credential Guard and Hypervisor Code Integrity (HVCI) both depend on VBS to isolate/protect secrets, and kernel-mode code integrity validation. VBS has a tri-state that can be Disabled, Enabled, or Running. ### Census.Speech @@ -1889,6 +1906,82 @@ The following fields are available: - **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event. +## DxgKernelTelemetry events + +### DxgKrnlTelemetry.GPUAdapterInventoryV2 + +This event sends basic GPU and display driver information to keep Windows and display drivers up-to-date. + +The following fields are available: + +- **AdapterTypeValue** The numeric value indicating the type of Graphics adapter. +- **aiSeqId** The event sequence ID. +- **bootId** The system boot ID. +- **ComputePreemptionLevel** The maximum preemption level supported by GPU for compute payload. +- **DedicatedSystemMemoryB** The amount of system memory dedicated for GPU use (in bytes). +- **DedicatedVideoMemoryB** The amount of dedicated VRAM of the GPU (in bytes). +- **DisplayAdapterLuid** The display adapter LUID. +- **DriverDate** The date of the display driver. +- **DriverRank** The rank of the display driver. +- **DriverVersion** The display driver version. +- **GPUDeviceID** The GPU device ID. +- **GPUPreemptionLevel** The maximum preemption level supported by GPU for graphics payload. +- **GPURevisionID** The GPU revision ID. +- **GPUVendorID** The GPU vendor ID. +- **InterfaceId** The GPU interface ID. +- **IsDisplayDevice** Does the GPU have displaying capabilities? +- **IsHybridDiscrete** Does the GPU have discrete GPU capabilities in a hybrid device? +- **IsHybridIntegrated** Does the GPU have integrated GPU capabilities in a hybrid device? +- **IsLDA** Is the GPU comprised of Linked Display Adapters? +- **IsMiracastSupported** Does the GPU support Miracast? +- **IsMismatchLDA** Is at least one device in the Linked Display Adapters chain from a different vendor? +- **IsMPOSupported** Does the GPU support Multi-Plane Overlays? +- **IsMsMiracastSupported** Are the GPU Miracast capabilities driven by a Microsoft solution? +- **IsPostAdapter** Is this GPU the POST GPU in the device? +- **IsRemovable** TRUE if the adapter supports being disabled or removed. +- **IsRenderDevice** Does the GPU have rendering capabilities? +- **IsSoftwareDevice** Is this a software implementation of the GPU? +- **MeasureEnabled** Is the device listening to MICROSOFT_KEYWORD_MEASURES? +- **NumVidPnSources** The number of supported display output sources. +- **NumVidPnTargets** The number of supported display output targets. +- **SharedSystemMemoryB** The amount of system memory shared by GPU and CPU (in bytes). +- **SubSystemID** The subsystem ID. +- **SubVendorID** The GPU sub vendor ID. +- **TelemetryEnabled** Is the device listening to MICROSOFT_KEYWORD_TELEMETRY? +- **TelInvEvntTrigger** What triggered this event to be logged? Example: 0 (GPU enumeration) or 1 (DxgKrnlTelemetry provider toggling) +- **version** The event version. +- **WDDMVersion** The Windows Display Driver Model version. + + +## Fault Reporting events + +### Microsoft.Windows.FaultReporting.AppCrashEvent + +This event sends data about crashes for both native and managed applications, to help keep Windows up to date. The data includes information about the crashing process and a summary of its exception record. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the crash to the Watson service, and the WER event will contain the same ReportID (see field 14 of crash event, field 19 of WER event) as the crash event for the crash being reported. AppCrash is emitted once for each crash handled by WER (e.g. from an unhandled exception or FailFast or ReportException). Note that Generic Watson event types (e.g. from PLM) that may be considered crashes\" by a user DO NOT emit this event. + +The following fields are available: + +- **AppName** The name of the app that has crashed. +- **AppSessionGuid** GUID made up of process ID and is used as a correlation vector for process instances in the telemetry backend. +- **AppTimeStamp** The date/time stamp of the app. +- **AppVersion** The version of the app that has crashed. +- **ExceptionCode** The exception code returned by the process that has crashed. +- **ExceptionOffset** The address where the exception had occurred. +- **Flags** Flags indicating how reporting is done. For example, queue the report, do not offer JIT debugging, or do not terminate the process after reporting. +- **ModName** Exception module name (e.g. bar.dll). +- **ModTimeStamp** The date/time stamp of the module. +- **ModVersion** The version of the module that has crashed. +- **PackageFullName** Store application identity. +- **PackageRelativeAppId** Store application identity. +- **ProcessArchitecture** Architecture of the crashing process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64. +- **ProcessCreateTime** The time of creation of the process that has crashed. +- **ProcessId** The ID of the process that has crashed. +- **ReportId** A GUID used to identify the report. This can used to track the report across Watson. +- **TargetAppId** The kernel reported AppId of the application being reported. +- **TargetAppVer** The specific version of the application being reported +- **TargetAsId** The sequence number for the hanging process. + + ## Feature update events ### Microsoft.Windows.Upgrade.Uninstall.UninstallFailed @@ -1916,6 +2009,33 @@ This event sends basic metadata about the starting point of uninstalling a featu +## Hang Reporting events + +### Microsoft.Windows.HangReporting.AppHangEvent + +This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events. + +The following fields are available: + +- **AppName** The name of the app that has hung. +- **AppSessionGuid** GUID made up of process id used as a correlation vector for process instances in the telemetry backend. +- **AppVersion** The version of the app that has hung. +- **PackageFullName** Store application identity. +- **PackageRelativeAppId** Store application identity. +- **ProcessArchitecture** Architecture of the hung process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64. +- **ProcessCreateTime** The time of creation of the process that has hung. +- **ProcessId** The ID of the process that has hung. +- **ReportId** A GUID used to identify the report. This can used to track the report across Watson. +- **TargetAppId** The kernel reported AppId of the application being reported. +- **TargetAppVer** The specific version of the application being reported. +- **TargetAsId** The sequence number for the hanging process. +- **TypeCode** Bitmap describing the hang type. +- **WaitingOnAppName** If this is a cross process hang waiting for an application, this has the name of the application. +- **WaitingOnAppVersion** If this is a cross process hang, this has the version of the application for which it is waiting. +- **WaitingOnPackageFullName** If this is a cross process hang waiting for a package, this has the full name of the package for which it is waiting. +- **WaitingOnPackageRelativeAppId** If this is a cross process hang waiting for a package, this has the relative application id of the package. + + ## Inventory events ### Microsoft.Windows.Inventory.Core.AmiTelCacheChecksum @@ -1992,13 +2112,13 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic The following fields are available: -- **InventoryVersion** The version of the inventory component +- **InventoryVersion** The version of the inventory component. - **ProgramIds** The unique program identifier the driver is associated with. ### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverStartSync -The InventoryApplicationDriverStartSync event indicates that a new set of InventoryApplicationDriverStartAdd events will be sent. +This event indicates that a new set of InventoryApplicationDriverStartAdd events will be sent. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -2185,12 +2305,12 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic The following fields are available: - **BusReportedDescription** System-supplied GUID that uniquely groups the functional devices associated with a single-function or multifunction device installed in the computer. -- **Class** System-supplied GUID that uniquely groups the functional devices associated with a single-function or multifunction device installed in the computer. -- **ClassGuid** A unique identifier for the driver installed. -- **COMPID** Name of the .sys image file (or wudfrd.sys if using user mode driver framework). -- **ContainerId** INF file name (the name could be renamed by OS, such as oemXX.inf) -- **Description** The version of the inventory binary generating the events. -- **DeviceState** The current error code for the device. +- **Class** The device setup class of the driver loaded for the device. +- **ClassGuid** The device setup class guid of the driver loaded for the device. +- **COMPID** The list of compat ids for the device. +- **ContainerId** System-supplied GUID that uniquely groups the functional devices associated with a single-function or multifunction device installed in the computer. +- **Description** The device description. +- **DeviceState** DeviceState is a bitmask of the following: DEVICE_IS_CONNECTED 0x0001 (currently only for container). DEVICE_IS_NETWORK_DEVICE 0x0002 (currently only for container). DEVICE_IS_PAIRED 0x0004 (currently only for container). DEVICE_IS_ACTIVE 0x0008 (currently never set). DEVICE_IS_MACHINE 0x0010 (currently only for container). DEVICE_IS_PRESENT 0x0020 (currently always set). DEVICE_IS_HIDDEN 0x0040. DEVICE_IS_PRINTER 0x0080 (currently only for container). DEVICE_IS_WIRELESS 0x0100. DEVICE_IS_WIRELESS_FAT 0x0200. The most common values are therefore: 32 (0x20)= device is present. 96 (0x60)= device is present but hidden. 288 (0x120)= device is a wireless device that is present - **DriverId** A unique identifier for the driver installed. - **DriverName** Name of the .sys image file (or wudfrd.sys if using user mode driver framework). - **DriverPackageStrongName** The immediate parent directory name in the Directory field of InventoryDriverPackage. @@ -2703,11 +2823,188 @@ The following fields are available: - **UserInputTime** The amount of time the loader application spent waiting for user input. +## OneDrive events + +### Microsoft.OneDrive.Sync.Setup.APIOperation + +This event includes basic data about install and uninstall OneDrive API operations. + +The following fields are available: + +- **APIName** The name of the API. +- **Duration** How long the operation took. +- **IsSuccess** Was the operation successful? +- **ResultCode** The result code. +- **ScenarioName** The name of the scenario. + + +### Microsoft.OneDrive.Sync.Setup.EndExperience + +This event includes a success or failure summary of the installation. + +The following fields are available: + +- **APIName** The name of the API. +- **HResult** The result code of the last action performed before this operation +- **IsSuccess** Was the operation successful? +- **ScenarioName** The name of the scenario. + + +### Microsoft.OneDrive.Sync.Setup.OSUpgradeInstallationOperation + +This event is related to the OS version when the OS is upgraded with OneDrive installed. + +The following fields are available: + +- **CurrentOneDriveVersion** The current version of OneDrive. +- **CurrentOSBuildBranch** The current branch of the operating system. +- **CurrentOSBuildNumber** The current build number of the operating system. +- **CurrentOSVersion** The current version of the operating system. +- **HResult** The HResult of the operation. +- **SourceOSBuildBranch** The source branch of the operating system. +- **SourceOSBuildNumber** The source build number of the operating system. +- **SourceOSVersion** The source version of the operating system. + + +### Microsoft.OneDrive.Sync.Setup.RegisterStandaloneUpdaterAPIOperation + +This event is related to registering or unregistering the OneDrive update task. + +The following fields are available: + +- **APIName** The name of the API. +- **IsSuccess** Was the operation successful? +- **RegisterNewTaskResult** The HResult of the RegisterNewTask operation. +- **ScenarioName** The name of the scenario. +- **UnregisterOldTaskResult** The HResult of the UnregisterOldTask operation. + + +### Microsoft.OneDrive.Sync.Updater.ComponentInstallState + +This event includes basic data about the installation state of dependent OneDrive components. + +The following fields are available: + +- **ComponentName** The name of the dependent component. +- **isInstalled** Is the dependent component installed? + + +### Microsoft.OneDrive.Sync.Updater.OverlayIconStatus + +This event indicates if the OneDrive overlay icon is working correctly. 0 = healthy; 1 = can be fixed; 2 = broken + +The following fields are available: + +- **32bit** The status of the OneDrive overlay icon on a 32-bit operating system. +- **64bit** The status of the OneDrive overlay icon on a 64-bit operating system. + + +### Microsoft.OneDrive.Sync.Updater.UpdateOverallResult + +This event sends information describing the result of the update. + +The following fields are available: + +- **hr** The HResult of the operation. +- **IsLoggingEnabled** Indicates whether logging is enabled for the updater. +- **UpdaterVersion** The version of the updater. + + +### Microsoft.OneDrive.Sync.Updater.UpdateXmlDownloadHResult + +This event determines the status when downloading the OneDrive update configuration file. + +The following fields are available: + +- **hr** The HResult of the operation. + + +### Microsoft.OneDrive.Sync.Updater.WebConnectionStatus + +This event determines the error code that was returned when verifying Internet connectivity. + +The following fields are available: + +- **winInetError** The HResult of the operation. + + +## Other events + +### CbsServicingProvider.CbsCapabilityEnumeration + +This event reports on the results of scanning for optional Windows content on Windows Update. + +The following fields are available: + +- **architecture** Indicates the scan was limited to the specified architecture. +- **capabilityCount** The number of optional content packages found during the scan. +- **clientId** The name of the application requesting the optional content. +- **duration** The amount of time it took to complete the scan. +- **hrStatus** The HReturn code of the scan. +- **language** Indicates the scan was limited to the specified language. +- **majorVersion** Indicates the scan was limited to the specified major version. +- **minorVersion** Indicates the scan was limited to the specified minor version. +- **namespace** Indicates the scan was limited to packages in the specified namespace. +- **sourceFilter** A bitmask indicating the scan checked for locally available optional content. +- **stackBuild** The build number of the servicing stack. +- **stackMajorVersion** The major version number of the servicing stack. +- **stackMinorVersion** The minor version number of the servicing stack. +- **stackRevision** The revision number of the servicing stack. + + +### CbsServicingProvider.CbsCapabilitySessionFinalize + +This event provides information about the results of installing or uninstalling optional Windows content from Windows Update. + +The following fields are available: + +- **capabilities** The names of the optional content packages that were installed. +- **clientId** The name of the application requesting the optional content. +- **highestState** The highest final install state of the optional content. +- **hrStatus** The HReturn code of the install operation. +- **rebootCount** The number of reboots required to complete the install. +- **stackBuild** The build number of the servicing stack. +- **stackMajorVersion** The major version number of the servicing stack. +- **stackMinorVersion** The minor version number of the servicing stack. +- **stackRevision** The revision number of the servicing stack. + + +### CbsServicingProvider.CbsCapabilitySessionPended + +This event provides information about the results of installing optional Windows content that requires a reboot to keep Windows up to date. + +The following fields are available: + +- **clientId** The name of the application requesting the optional content. +- **pendingDecision** Indicates the cause of reboot, if applicable. + + +### Microsoft.Windows.WaaSAssessment.Error + +This event returns the name of the missing setting needed to determine the Operating System build age. + +The following fields are available: + +- **m** The WaaS (“Workspace as a Service”—cloud-based “workspace”) Assessment Error String. + + +### Microsoft.Xbox.XamTelemetry.AppActivationError + +This event indicates whether the system detected an activation error in the app. + + + +### Microsoft.Xbox.XamTelemetry.AppActivity + +This event is triggered whenever the current app state is changed by: launch, switch, terminate, snap, etc. + + + ## Remediation events ### Microsoft.Windows.Remediation.Applicable -This event indicates a remedial plug-in is applicable if/when such a plug-in is detected. This is used to ensure Windows is up to date. +This event sends simple device connectivity and configuration data about an application installed on the system that helps keep the Windows Update stack healthy. The following fields are available: @@ -2716,7 +3013,6 @@ The following fields are available: - **AppraiserDetectCondition** Indicates whether the plug-in passed the appraiser's check. - **AppraiserRegistryValidResult** Indicates whether the registry entry checks out as valid. - **AppraiserTaskDisabled** Indicates the appraiser task is disabled. -- **AppraiserTaskValidFailed** Indicates the Appraiser task did not function and requires intervention. - **CV** Correlation vector - **DateTimeDifference** The difference between local and reference clock times. - **DateTimeSyncEnabled** Indicates whether the datetime sync plug-in is enabled. @@ -2726,7 +3022,7 @@ The following fields are available: - **EvalAndReportAppraiserBinariesFailed** Indicates the EvalAndReportAppraiserBinaries event failed. - **EvalAndReportAppraiserRegEntries** Indicates the EvalAndReportAppraiserRegEntriesFailed event failed. - **EvalAndReportAppraiserRegEntriesFailed** Indicates the EvalAndReportAppraiserRegEntriesFailed event failed. -- **GlobalEventCounter** Client side counter that indicates ordering of events sent by the remediation system. +- **GlobalEventCounter** Client side counter that indicates ordering of events. - **HResult** The HRESULT for detection or perform action phases of the plugin. - **IsAppraiserLatestResult** The HRESULT from the appraiser task. - **IsConfigurationCorrected** Indicates whether the configuration of SIH task was successfully corrected. @@ -2789,29 +3085,9 @@ The following fields are available: - **TimeServiceSyncType** Type of sync behavior for Date & Time service on device. -### Microsoft.Windows.Remediation.ChangePowerProfileDetection - -Indicates whether the remediation system can put in a request to defer a system-initiated sleep to enable installation of security or quality updates. - -The following fields are available: - -- **ActionName** A descriptive name for the plugin action -- **CurrentPowerPlanGUID** The ID of the current power plan configured on the device -- **CV** Correlation vector -- **GlobalEventCounter** Counter that indicates the ordering of events on the device -- **PackageVersion** Current package version of remediation service -- **RemediationBatteryPowerBatteryLevel** Integer between 0 and 100 indicating % battery power remaining (if not on battery, expect 0) -- **RemediationFUInProcess** Result that shows whether the device is currently installing a feature update -- **RemediationFURebootRequred** Indicates that a feature update reboot required was detected so the plugin will exit. -- **RemediationScanInProcess** Result that shows whether the device is currently scanning for updates -- **RemediationTargetMachine** Result that shows whether this device is a candidate for remediation(s) that will fix update issues -- **SetupMutexAvailable** Result that shows whether setup mutex is available or not -- **SysPowerStatusAC** Result that shows whether system is on AC power or not - - ### Microsoft.Windows.Remediation.Completed -This event enables completion tracking of a process that remediates issues preventing security and quality updates. +This event sends simple device connectivity and configuration data about an application installed on the system that helps keep the Windows Update stack healthy. The following fields are available: @@ -2833,7 +3109,7 @@ The following fields are available: - **DiskMbFreeAfterCleanup** The amount of free hard disk space after cleanup, measured in Megabytes. - **DiskMbFreeBeforeCleanup** The amount of free hard disk space before cleanup, measured in Megabytes. - **ForcedAppraiserTaskTriggered** TRUE if Appraiser task ran from the plug-in. -- **GlobalEventCounter** Client-side counter that indicates ordering of events sent by the active user. +- **GlobalEventCounter** Client-side counter that indicates ordering of events. - **HandlerCleanupFreeDiskInMegabytes** The amount of hard disk space cleaned by the storage sense handlers, measured in Megabytes. - **hasRolledBack** Indicates whether the client machine has rolled back. - **hasUninstalled** Indicates whether the client machine has uninstalled a later version of the OS. @@ -2911,7 +3187,7 @@ The following fields are available: - **usoScanIsNoAutoUpdateKeyPresent** TRUE if no Auto Update registry key is set/present. - **usoScanIsUserLoggedOn** TRUE if the user is logged on. - **usoScanPastThreshold** TRUE if the most recent USO (Update Session Orchestrator) scan is past the threshold (late). -- **usoScanType** The type of USO (Update Session Orchestrator) scan (Interactive or Background). +- **usoScanType** The type of USO (Update Session Orchestrator) scan: "Interactive" or "Background". - **windows10UpgraderBlockWuUpdates** Event to report the value of Windows 10 Upgrader BlockWuUpdates Key. - **windowsEditionId** Event to report the value of Windows Edition ID. - **WindowsHyberFilSysSizeInMegabytes** The size of the Windows Hibernation file, measured in Megabytes. @@ -2926,30 +3202,14 @@ The following fields are available: - **windowsUpgradeRecoveredFromRs4** Event to report the value of the Windows Upgrade Recovered key. -### Microsoft.Windows.Remediation.RemediationShellMainExeEventId - -Enables tracking of completion of process that remediates issues preventing security and quality updates. - -The following fields are available: - -- **CV** Client side counter which indicates ordering of events sent by the remediation system. -- **GlobalEventCounter** Client side counter which indicates ordering of events sent by the remediation system. -- **PackageVersion** Current package version of Remediation. -- **RemediationShellCanAcquireSedimentMutex** True if the remediation was able to acquire the sediment mutex. False if it is already running. -- **RemediationShellExecuteShellResult** Indicates if the remediation system completed without errors. -- **RemediationShellFoundDriverDll** Result whether the remediation system found its component files to run properly. -- **RemediationShellLoadedShellDriver** Result whether the remediation system loaded its component files to run properly. -- **RemediationShellLoadedShellFunction** Result whether the remediation system loaded the functions from its component files to run properly. - - ### Microsoft.Windows.Remediation.Started -This event reports whether a plug-in started, to help ensure Windows is up to date. +This event sends simple device connectivity and configuration data about an application installed on the system that helps keep the Windows Update stack healthy. The following fields are available: - **CV** Correlation vector. -- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **GlobalEventCounter** Client side counter which indicates ordering of events. - **PackageVersion** Current package version of Remediation. - **PluginName** Name of the plugin specified for each generic plugin event. - **Result** This is the HRESULT for detection or perform action phases of the plugin. @@ -2970,6 +3230,41 @@ The following fields are available: - **Time** The time the event was fired. +### Microsoft.Windows.Sediment.Info.Error + +This event indicates an error in the updater payload. This information assists in keeping Windows up to date. + + + +### Microsoft.Windows.Sediment.OSRSS.CheckingOneSettings + +This event indicates the parameters that the Operating System Remediation System Service (OSRSS) uses for a secure ping to Microsoft to help ensure Windows is up to date. + +The following fields are available: + +- **CustomVer** The registry value for targeting. +- **IsMetered** TRUE if the machine is on a metered network. +- **LastVer** The version of the last successful run. +- **ServiceVersionMajor** The Major version information of the component. +- **ServiceVersionMinor** The Minor version information of the component. +- **Time** The system time at which the event occurred. + + +### Microsoft.Windows.Sediment.OSRSS.Error + +This event indicates an error occurred in the Operating System Remediation System Service (OSRSS). The information provided helps ensure future upgrade/update attempts are more successful. + +The following fields are available: + +- **FailureType** The type of error encountered. +- **FileName** The code file in which the error occurred. +- **HResult** The failure error code. +- **LineNumber** The line number in the code file at which the error occurred. +- **ServiceVersionMajor** The Major version information of the component. +- **ServiceVersionMinor** The Minor version information of the component. +- **Time** The system time at which the event occurred. + + ### Microsoft.Windows.Sediment.OSRSS.UrlState This event indicates the state the Operating System Remediation System Service (OSRSS) is in while attempting a download from the URL. @@ -2984,15 +3279,17 @@ The following fields are available: - **Time** System timestamp the event was fired +## Sediment Launcher events + ### Microsoft.Windows.SedimentLauncher.Applicable -Indicates whether a given plugin is applicable. +This event sends simple device connectivity and configuration data about an application installed on the system that helps keep the Windows Update stack healthy. The following fields are available: - **CV** Correlation vector. - **DetectedCondition** Boolean true if detect condition is true and perform action will be run. -- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **GlobalEventCounter** Client side counter which indicates ordering of events. - **IsSelfUpdateEnabledInOneSettings** True if self update enabled in Settings. - **IsSelfUpdateNeeded** True if self update needed by device. - **PackageVersion** Current package version of Remediation. @@ -3002,98 +3299,43 @@ The following fields are available: ### Microsoft.Windows.SedimentLauncher.Completed -Indicates whether a given plugin has completed its work. +This event sends simple device connectivity and configuration data about an application installed on the system that helps keep the Windows Update stack healthy. The following fields are available: - **CV** Correlation vector. - **FailedReasons** Concatenated list of failure reasons. -- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **GlobalEventCounter** Client side counter which indicates ordering of events. - **PackageVersion** Current package version of Remediation. - **PluginName** Name of the plugin specified for each generic plugin event. - **Result** This is the HRESULT for detection or perform action phases of the plugin. - **SedLauncherExecutionResult** HRESULT for one execution of the Sediment Launcher. -### Microsoft.Windows.SedimentLauncher.Error - -Error occurred during execution of the plugin. - -The following fields are available: - -- **HResult** The result for the Detection or Perform Action phases of the plug-in. -- **Message** A message containing information about the error that occurred (if any). -- **PackageVersion** The version number of the current remediation package. - - -### Microsoft.Windows.SedimentLauncher.FallbackError - -This event indicates that an error occurred during execution of the plug-in fallback. - -The following fields are available: - -- **s0** Error occurred during execution of the plugin fallback. See [Microsoft.Windows.SedimentLauncher.wilResult](#microsoftwindowssedimentlauncherwilresult). -- **wilResult** Result from executing wil based function. See [wilResult](#wilresult). - - -### Microsoft.Windows.SedimentLauncher.Information - -This event provides general information returned from the plug-in. - -The following fields are available: - -- **HResult** This is the HRESULT for detection or perform action phases of the plugin. -- **Message** Information message returned from a plugin containing only information internal to the plugins execution. -- **PackageVersion** Current package version of Remediation. - - ### Microsoft.Windows.SedimentLauncher.Started -This event indicates that a given plug-in has started. +This event sends simple device connectivity and configuration data about an application installed on the system that helps keep Windows up to date. The following fields are available: - **CV** Correlation vector. -- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **GlobalEventCounter** Client side counter which indicates ordering of events. - **PackageVersion** Current package version of Remediation. - **PluginName** Name of the plugin specified for each generic plugin event. - **Result** This is the HRESULT for detection or perform action phases of the plugin. -### Microsoft.Windows.SedimentLauncher.wilResult - -This event provides the result from the Windows internal library. - -The following fields are available: - -- **callContext** List of telemetry activities containing this error. -- **currentContextId** Identifier for the newest telemetry activity containing this error. -- **currentContextMessage** Custom message associated with the newest telemetry activity containing this error (if any). -- **currentContextName** Name of the newest telemetry activity containing this error. -- **failureCount** Number of failures seen within the binary where the error occurred. -- **failureId** Identifier assigned to this failure. -- **failureType** Indicates what type of failure was observed (exception, returned error, logged error or fail fast). -- **fileName** Source code file name where the error occurred. -- **function** Name of the function where the error occurred. -- **hresult** Failure error code. -- **lineNumber** Line number within the source code file where the error occurred. -- **message** Custom message associated with the failure (if any). -- **module** Name of the binary where the error occurred. -- **originatingContextId** Identifier for the oldest telemetry activity containing this error. -- **originatingContextMessage** Custom message associated with the oldest telemetry activity containing this error (if any). -- **originatingContextName** Name of the oldest telemetry activity containing this error. -- **threadId** Identifier of the thread the error occurred on. - +## Sediment Service events ### Microsoft.Windows.SedimentService.Applicable -This event indicates whether a given plug-in is applicable. +This event sends simple device connectivity and configuration data about a service on the system that helps keep Windows up to date. The following fields are available: - **CV** Correlation vector. - **DetectedCondition** Determine whether action needs to run based on device properties. -- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **GlobalEventCounter** Client side counter which indicates ordering of events. - **IsSelfUpdateEnabledInOneSettings** Indicates if self update is enabled in One Settings. - **IsSelfUpdateNeeded** Indicates if self update is needed. - **PackageVersion** Current package version of Remediation. @@ -3103,13 +3345,13 @@ The following fields are available: ### Microsoft.Windows.SedimentService.Completed -This event indicates whether a given plug-in has completed its work. +This event sends simple device connectivity and configuration data about a service on the system that helps keep Windows up to date. The following fields are available: - **CV** Correlation vector. - **FailedReasons** List of reasons when the plugin action failed. -- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **GlobalEventCounter** Client side counter which indicates ordering of events. - **PackageVersion** Current package version of Remediation. - **PluginName** Name of the plugin specified for each generic plugin event. - **Result** This is the HRESULT for detection or perform action phases of the plugin. @@ -3123,41 +3365,9 @@ The following fields are available: - **SedimentServiceTotalIterations** Number of 5 second iterations service will wait before running again. -### Microsoft.Windows.SedimentService.Error - -This event indicates whether an error condition occurred in the plug-in. - -The following fields are available: - -- **HResult** This is the HRESULT for detection or perform action phases of the plugin. -- **Message** Custom message associated with the failure (if any). -- **PackageVersion** Current package version of Remediation. - - -### Microsoft.Windows.SedimentService.FallbackError - -This event indicates whether an error occurred for a fallback in the plug-in. - -The following fields are available: - -- **s0** Event returned when an error occurs for a fallback in the plugin. See [Microsoft.Windows.SedimentService.wilResult](#microsoftwindowssedimentservicewilresult). -- **wilResult** Result for wil based function. See [wilResult](#wilresult). - - -### Microsoft.Windows.SedimentService.Information - -This event provides general information returned from the plug-in. - -The following fields are available: - -- **HResult** This is the HRESULT for detection or perform action phases of the plugin. -- **Message** Custom message associated with the failure (if any). -- **PackageVersion** Current package version of Remediation. - - ### Microsoft.Windows.SedimentService.Started -This event indicates a specified plug-in has started. This information helps ensure Windows is up to date. +This event sends simple device connectivity and configuration data about a service on the system that helps keep Windows up to date. The following fields are available: @@ -3168,32 +3378,33 @@ The following fields are available: - **Result** This is the HRESULT for Detection or Perform Action phases of the plugin. -### Microsoft.Windows.SedimentService.wilResult +## Setup events -This event provides the result from the Windows internal library. +### SetupPlatformTel.SetupPlatformTelActivityEvent + +This event sends basic metadata about the SetupPlatform update installation process, to help keep Windows up to date. The following fields are available: -- **callContext** List of telemetry activities containing this error. -- **currentContextId** Identifier for the newest telemetry activity containing this error. -- **currentContextMessage** Custom message associated with the newest telemetry activity containing this error (if any). -- **currentContextName** Name of the newest telemetry activity containing this error. -- **failureCount** Number of failures seen within the binary where the error occurred. -- **failureId** Identifier assigned to this failure. -- **failureType** Indicates what type of failure was observed (exception, returned error, logged error or fail fast). -- **fileName** Source code file name where the error occurred. -- **function** Name of the function where the error occurred. -- **hresult** Failure error code. -- **lineNumber** Line number within the source code file where the error occurred. -- **message** Custom message associated with the failure (if any). -- **module** Name of the binary where the error occurred. -- **originatingContextId** Identifier for the oldest telemetry activity containing this error. -- **originatingContextMessage** Custom message associated with the oldest telemetry activity containing this error (if any). -- **originatingContextName** Name of the oldest telemetry activity containing this error. -- **threadId** Identifier of the thread the error occurred on. +- **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc. +- **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc. +- **Value** Value associated with the corresponding event name. For example, time-related events will include the system time + + +### SetupPlatformTel.SetupPlatformTelActivityStarted + +This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date. + +The following fields are available: + +- **Name** The name of the dynamic update type. Example: GDR driver + + +### SetupPlatformTel.SetupPlatformTelActivityStopped + +This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date. -## Setup events ### SetupPlatformTel.SetupPlatformTelEvent @@ -3780,6 +3991,131 @@ The following fields are available: ## Update events +### Update360Telemetry.UpdateAgent_DownloadRequest + +This event sends data during the download request phase of updating Windows. + +The following fields are available: + +- **DeletedCorruptFiles** Boolean indicating whether corrupt payload was deleted. +- **ErrorCode** The error code returned for the current download request phase. +- **FlightId** Unique ID for each flight. +- **ObjectId** Unique value for each Update Agent mode (same concept as InstanceId for Setup360). +- **PackageCountOptional** # of optional packages requested. +- **PackageCountRequired** # of required packages requested. +- **PackageCountTotal** Total # of packages needed. +- **PackageCountTotalCanonical** Total number of canonical packages. +- **PackageCountTotalDiff** Total number of diff packages. +- **PackageCountTotalExpress** Total number of express packages. +- **PackageSizeCanonical** Size of canonical packages in bytes. +- **PackageSizeDiff** Size of diff packages in bytes. +- **PackageSizeExpress** Size of express packages in bytes. +- **RangeRequestState** Indicates the range request type used. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** Outcome of the download request phase of update. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each attempt (same value for initialize, download, install commit phases) +- **UpdateId** Unique ID for each Update. + + +### Update360Telemetry.UpdateAgent_FellBackToCanonical + +This event collects information when Express could not be used, and the update had to fall back to “canonical” during the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. + +The following fields are available: + +- **FlightId** Unique ID for the flight (test instance version). +- **ObjectId** The unique value for each Update Agent mode. +- **PackageCount** The number of packages that fell back to “canonical”. +- **PackageList** PackageIDs which fell back to “canonical”. +- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. +- **ScenarioId** The ID of the update scenario. +- **SessionId** The ID of the update attempt. +- **UpdateId** The ID of the update. + + +### Update360Telemetry.UpdateAgent_Initialize + +This event sends data during the initialize phase of updating Windows. + +The following fields are available: + +- **ErrorCode** The error code returned for the current initialize phase. +- **FlightId** Unique ID for each flight. +- **FlightMetadata** Contains the FlightId and the build being flighted. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** Result of the initialize phase of update. 0 = Succeeded, 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled +- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate +- **SessionData** Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios). +- **SessionId** Unique value for each Update Agent mode attempt . +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgent_Install + +This event sends data during the install phase of updating Windows. + +The following fields are available: + +- **ErrorCode** The error code returned for the current install phase. +- **FlightId** Unique ID for each flight. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Correlation vector value generated from the latest scan. +- **Result** Result of the install phase of update. 0 = Succeeded 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled +- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate +- **SessionId** Unique value for each Update Agent mode attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgent_Merge + +This event sends data on the merge phase when updating Windows. + +The following fields are available: + +- **ErrorCode** The error code returned for the current reboot. +- **FlightId** Unique ID for the flight (test instance version). +- **ObjectId** The unique value for each Update Agent mode. +- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. +- **Result** The HResult of the event. +- **ScenarioId** The ID of the update scenario. +- **SessionId** The ID of the update attempt. +- **UpdateId** The ID of the update. + + +### Update360Telemetry.UpdateAgent_ModeStart + +This event sends data for the start of each mode during the process of updating Windows. + +The following fields are available: + +- **FlightId** Unique ID for each flight. +- **Mode** Indicates that the Update Agent mode that has started. 1 = Initialize, 2 = DownloadRequest, 3 = Install, 4 = Commit +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** The correlation vector value generated from the latest scan. +- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate +- **SessionId** Unique value for each Update Agent mode attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgent_SetupBoxLaunch + +This event sends data during the launching of the setup box when updating Windows. + +The following fields are available: + +- **FlightId** Unique ID for each flight. +- **ObjectId** Unique value for each Update Agent mode. +- **Quiet** Indicates whether setup is running in quiet mode. 0 = false 1 = true +- **RelatedCV** Correlation vector value generated from the latest scan. +- **SandboxSize** The size of the sandbox folder on the device. +- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate +- **SessionId** Unique value for each Update Agent mode attempt. +- **SetupMode** Setup mode 1 = predownload, 2 = install, 3 = finalize +- **UpdateId** Unique ID for each update. + + ### Update360Telemetry.UpdateAgentCommit This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. @@ -3975,6 +4311,24 @@ The following fields are available: - **Version** Version of update +### Update360Telemetry.UpdateAgentOneSettings + +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. + +The following fields are available: + +- **Count** The count of applicable OneSettings for the device. +- **FlightId** Unique ID for the flight (test instance version). +- **ObjectId** The unique value for each Update Agent mode. +- **Parameters** The set of name value pair parameters sent to OneSettings to determine if there are any applicable OneSettings. +- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. +- **Result** The HResult of the event. +- **ScenarioId** The ID of the update scenario. +- **SessionId** The ID of the update attempt. +- **UpdateId** The ID of the update. +- **Values** The values sent back to the device, if applicable. + + ### Update360Telemetry.UpdateAgentPostRebootResult This event collects information for both Mobile and Desktop regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario. @@ -4028,7 +4382,7 @@ The following fields are available: - **CV** Correlation vector. - **DetectorVersion** Most recently run detector version for the current campaign. - **GlobalEventCounter** Client side counter that indicates the ordering of events sent by this user. -- **key1** UI interaction data +- **key1** Interaction data for the UI - **key10** UI interaction data - **key11** UI interaction data - **key12** UI interaction data @@ -4039,9 +4393,9 @@ The following fields are available: - **key17** UI interaction data - **key18** UI interaction data - **key19** UI interaction data -- **key2** UI interaction data +- **key2** Interaction data for the UI - **key20** UI interaction data -- **key21** Interaction data for the UI +- **key21** UI interaction data - **key22** UI interaction data - **key23** UI interaction data - **key24** UI interaction data @@ -4050,12 +4404,12 @@ The following fields are available: - **key27** UI interaction data - **key28** UI interaction data - **key29** UI interaction data -- **key3** UI interaction data +- **key3** Interaction data for the UI - **key30** UI interaction data -- **key4** UI interaction data -- **key5** UI interaction data -- **key6** UI interaction data -- **key7** UI interaction data +- **key4** Interaction data for the UI +- **key5** UI interaction type +- **key6** Current package version of UNP +- **key7** UI interaction type - **key8** UI interaction data - **key9** UI interaction data - **PackageVersion** Current package version of the update notification. @@ -4353,6 +4707,12 @@ This event sends a summary of all the setup mitigations available for this updat +### Setup360Telemetry.Setup360OneSettings + +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. + + + ### Setup360Telemetry.UnexpectedEvent This event sends data indicating that the device has invoked the unexpected event phase of the upgrade, to help keep Windows up to date. @@ -4402,17 +4762,37 @@ This event provides the results from the WaaSMedic engine The following fields are available: - **detectionSummary** Result of each applicable detection that was run. -- **featureAssessmentImpact** Windows as a Service (WaaS) Assessment impact on feature updates +- **featureAssessmentImpact** WaaS Assessment impact for feature updates. - **hrEngineResult** Indicates the WaaSMedic engine operation error codes -- **insufficientSessions** True, if the device has enough activity to be eligible for update diagnostics. False, if otherwise -- **isManaged** Indicates the device is managed for updates -- **isWUConnected** Indicates the device is connected to Windows Update -- **noMoreActions** All available WaaSMedic diagnostics have run. There are no pending diagnostics and corresponding actions -- **qualityAssessmentImpact** Windows as a Service (WaaS) Assessment impact for quality updates +- **insufficientSessions** Device not eligible for diagnostics. +- **isManaged** Device is managed for updates. +- **isWUConnected** Device is connected to Windows Update. +- **noMoreActions** No more applicable diagnostics. +- **qualityAssessmentImpact** WaaS Assessment impact for quality updates. - **remediationSummary** Result of each operation performed on a device to fix an invalid state or configuration that's preventing the device from getting updates. For example, if Windows Update service is turned off, the fix is to turn the it back on. -- **usingBackupFeatureAssessment** The WaaSMedic engine contacts Windows as a Service (WaaS) Assessment to determine whether the device is up-to-date. If WaaS Assessment isn't available, the engine falls back to backup feature assessments, which are determined programmatically on the client -- **usingBackupQualityAssessment** The WaaSMedic engine contacts Windows as a Service (WaaS) Assessment to determine whether the device is up-to-date. If WaaS Assessment isn't available, the engine falls back to backup quality assessments, which are determined programmatically on the client -- **versionString** Installed version of the WaaSMedic engine +- **usingBackupFeatureAssessment** Relying on backup feature assessment. +- **usingBackupQualityAssessment** Relying on backup quality assessment. +- **versionString** Version of the WaaSMedic engine. + + +## Windows Error Reporting events + +### Microsoft.Windows.WERVertical.OSCrash + +This event sends binary data from the collected dump file wheneveer a bug check occurs, to help keep Windows up to date. The is the OneCore version of this event. + +The following fields are available: + +- **BootId** Uint32 identifying the boot number for this device. +- **BugCheckCode** Uint64 "bugcheck code" that identifies a proximate cause of the bug check. +- **BugCheckParameter1** Uint64 parameter providing additional information. +- **BugCheckParameter2** Uint64 parameter providing additional information. +- **BugCheckParameter3** Uint64 parameter providing additional information. +- **BugCheckParameter4** Uint64 parameter providing additional information. +- **DumpFileAttributes** Codes that identify the type of data contained in the dump file +- **DumpFileSize** Size of the dump file +- **IsValidDumpFile** True if the dump file is valid for the debugger, false otherwise +- **ReportId** WER Report Id associated with this bug check (used for finding the corresponding report archive in Watson). ## Windows Store events @@ -4798,144 +5178,6 @@ The following fields are available: ## Windows Update Delivery Optimization events -### Microsoft.OSG.DU.DeliveryOptClient.DownloadCanceled - -This event describes when a download was canceled with Delivery Optimization. It's used to understand and address problems regarding downloads. - -The following fields are available: - -- **background** Is the download being done in the background? -- **bytesFromCacheServer** Bytes received from a cache host. -- **bytesFromCDN** The number of bytes received from a CDN source. -- **bytesFromGroupPeers** The number of bytes received from a peer in the same group. -- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same group. -- **bytesFromLocalCache** Bytes copied over from local (on disk) cache. -- **bytesFromPeers** The number of bytes received from a peer in the same LAN. -- **callerName** Name of the API caller. -- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event. -- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered. -- **clientTelId** A random number used for device sampling. -- **dataSourcesTotal** Bytes received per source type, accumulated for the whole session. -- **doErrorCode** The Delivery Optimization error code that was returned. -- **errorCode** The error code that was returned. -- **experimentId** When running a test, this is used to correlate events that are part of the same test. -- **fileID** The ID of the file being downloaded. -- **gCurMemoryStreamBytes** Current usage for memory streaming. -- **gMaxMemoryStreamBytes** Maximum usage for memory streaming. -- **isVpn** Is the device connected to a Virtual Private Network? -- **jobID** Identifier for the Windows Update job. -- **reasonCode** Reason the action or event occurred. -- **scenarioID** The ID of the scenario. -- **sessionID** The ID of the file download session. -- **updateID** The ID of the update being downloaded. -- **usedMemoryStream** Did the download use memory streaming? - - -### Microsoft.OSG.DU.DeliveryOptClient.DownloadCompleted - -This event describes when a download has completed with Delivery Optimization. It's used to understand and address problems regarding downloads. - -The following fields are available: - -- **background** Is the download a background download? -- **bytesFromCacheServer** Bytes received from a cache host. -- **bytesFromCDN** The number of bytes received from a CDN source. -- **bytesFromGroupPeers** The number of bytes received from a peer in the same domain group. -- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same domain group. -- **bytesFromLocalCache** Bytes copied over from local (on disk) cache. -- **bytesFromPeers** The number of bytes received from a peer in the same LAN. -- **bytesRequested** The total number of bytes requested for download. -- **cacheServerConnectionCount** Number of connections made to cache hosts. -- **callerName** Name of the API caller. -- **cdnConnectionCount** The total number of connections made to the CDN. -- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event. -- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered. -- **cdnIp** The IP address of the source CDN. -- **clientTelId** A random number used for device sampling. -- **dataSourcesTotal** Bytes received per source type, accumulated for the whole session. -- **doErrorCode** The Delivery Optimization error code that was returned. -- **downlinkBps** The maximum measured available download bandwidth (in bytes per second). -- **downlinkUsageBps** The download speed (in bytes per second). -- **downloadMode** The download mode used for this file download session. -- **downloadModeSrc** Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9). -- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. -- **fileID** The ID of the file being downloaded. -- **fileSize** The size of the file being downloaded. -- **gCurMemoryStreamBytes** Current usage for memory streaming. -- **gMaxMemoryStreamBytes** Maximum usage for memory streaming. -- **groupConnectionCount** The total number of connections made to peers in the same group. -- **internetConnectionCount** The total number of connections made to peers not in the same LAN or the same group. -- **isVpn** Is the device connected to a Virtual Private Network? -- **jobID** Identifier for the Windows Update job. -- **lanConnectionCount** The total number of connections made to peers in the same LAN. -- **numPeers** The total number of peers used for this download. -- **restrictedUpload** Is the upload restricted? -- **scenarioID** The ID of the scenario. -- **sessionID** The ID of the download session. -- **totalTimeMs** Duration of the download (in seconds). -- **updateID** The ID of the update being downloaded. -- **uplinkBps** The maximum measured available upload bandwidth (in bytes per second). -- **uplinkUsageBps** The upload speed (in bytes per second). -- **usedMemoryStream** Did the download use memory streaming? - - -### Microsoft.OSG.DU.DeliveryOptClient.DownloadPaused - -This event represents a temporary suspension of a download with Delivery Optimization. It's used to understand and address problems regarding downloads. - -The following fields are available: - -- **background** Is the download a background download? -- **callerName** The name of the API caller. -- **clientTelId** A random number used for device sampling. -- **errorCode** The error code that was returned. -- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. -- **fileID** The ID of the file being paused. -- **isVpn** Is the device connected to a Virtual Private Network? -- **jobID** Identifier for the Windows Update job. -- **reasonCode** The reason for pausing the download. -- **scenarioID** The ID of the scenario. -- **sessionID** The ID of the download session. -- **updateID** The ID of the update being paused. - - -### Microsoft.OSG.DU.DeliveryOptClient.DownloadStarted - -This event sends data describing the start of a new download to enable Delivery Optimization. It's used to understand and address problems regarding downloads. - -The following fields are available: - -- **background** Indicates whether the download is happening in the background. -- **bytesRequested** Number of bytes requested for the download. -- **callerName** Name of the API caller. -- **cdnUrl** The URL of the source CDN. -- **clientTelId** Random number used for device selection -- **costFlags** A set of flags representing network cost. -- **deviceProfile** Identifies the usage or form factor (such as Desktop, Xbox, or VM). -- **diceRoll** Random number used for determining if a client will use peering. -- **doClientVersion** The version of the Delivery Optimization client. -- **doErrorCode** The Delivery Optimization error code that was returned. -- **downloadMode** The download mode used for this file download session (CdnOnly = 0, Lan = 1, Group = 2, Internet = 3, Simple = 99, Bypass = 100). -- **downloadModeSrc** Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9). -- **errorCode** The error code that was returned. -- **experimentId** ID used to correlate client/services calls that are part of the same test during A/B testing. -- **fileID** The ID of the file being downloaded. -- **filePath** The path to where the downloaded file will be written. -- **fileSize** Total file size of the file that was downloaded. -- **fileSizeCaller** Value for total file size provided by our caller. -- **groupID** ID for the group. -- **isVpn** Indicates whether the device is connected to a Virtual Private Network. -- **jobID** The ID of the Windows Update job. -- **minDiskSizeGB** The minimum disk size (in GB) policy set for the device to allow peering with delivery optimization. -- **minDiskSizePolicyEnforced** Indicates whether there is an enforced minimum disk size requirement for peering. -- **minFileSizePolicy** The minimum content file size policy to allow the download using peering with delivery optimization. -- **peerID** The ID for this delivery optimization client. -- **scenarioID** The ID of the scenario. -- **sessionID** The ID for the file download session. -- **updateID** The ID of the update being downloaded. -- **usedMemoryStream** Indicates whether the download used memory streaming. - - ### Microsoft.OSG.DU.DeliveryOptClient.FailureCdnCommunication This event represents a failure to download from a CDN with Delivery Optimization. It's used to understand and address problems regarding downloads. @@ -4959,20 +5201,6 @@ The following fields are available: - **sessionID** The ID of the download session. -### Microsoft.OSG.DU.DeliveryOptClient.JobError - -This event represents a Windows Update job error. It allows for investigation of top errors. - -The following fields are available: - -- **clientTelId** A random number used for device sampling. -- **doErrorCode** Error code returned for delivery optimization. -- **errorCode** The error code returned. -- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. -- **fileID** The ID of the file being downloaded. -- **jobID** The Windows Update job ID. - - ## Windows Update events ### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentCommit @@ -5067,6 +5295,24 @@ The following fields are available: - **updateId** Unique ID for each Update. +### Microsoft.Windows.Update.NotificationUx.DialogNotificationToBeDisplayed + +This event indicates that a notification dialog box is about to be displayed to user. + + + +### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootRebootFailedDialog + +This event indicates that the Enhanced Engaged restart "restart failed" dialog box was displayed. + + + +### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootRebootImminentDialog + +This event indicates that the Enhanced Engaged restart "restart imminent" dialog box was displayed. + + + ### Microsoft.Windows.Update.NotificationUx.RebootScheduled Indicates when a reboot is scheduled by the system or a user for a security, quality, or feature update. @@ -5085,6 +5331,18 @@ The following fields are available: - **wuDeviceid** Unique device ID used by Windows Update. +### Microsoft.Windows.Update.Orchestrator.ActivityRestrictedByActiveHoursPolicy + +This event indicates a policy is present that may restrict update activity to outside of active hours. + + + +### Microsoft.Windows.Update.Orchestrator.BlockedByActiveHours + +This event indicates that update activity was blocked because it is within the active hours window. + + + ### Microsoft.Windows.Update.Orchestrator.CommitFailed This event indicates that a device was unable to restart after an update. @@ -5114,16 +5372,16 @@ This event indicates that a scan for a Windows Update occurred. The following fields are available: - **deferReason** Reason why the device could not check for updates. -- **detectionBlockreason** Reason for detection not completing. +- **detectionBlockreason** Reason for blocking detection - **detectionRetryMode** Indicates whether we will try to scan again. -- **errorCode** The returned error code. -- **eventScenario** End-to-end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed. +- **errorCode** Error value +- **eventScenario** End to end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed. - **flightID** The specific ID of the Windows Insider build the device is getting. - **interactive** Indicates whether the session was user initiated. - **revisionNumber** Update revision number. - **updateId** Update ID. -- **updateScenarioType** Update Session type -- **wuDeviceid** Device ID +- **updateScenarioType** The update session type. +- **wuDeviceid** Unique device ID used by Windows Update. ### Microsoft.Windows.Update.Orchestrator.DisplayNeeded @@ -5142,6 +5400,23 @@ The following fields are available: - **wuDeviceid** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue +### Microsoft.Windows.Update.Orchestrator.Download + +This event sends launch data for a Windows Update download to help keep Windows up to date. + +The following fields are available: + +- **deferReason** Reason for download not completing. +- **errorCode** An error code represented as a hexadecimal value. +- **eventScenario** End-to-end update session ID. +- **flightID** The specific ID of the Windows Insider build the device is getting. +- **interactive** Indicates whether the session is user initiated. +- **revisionNumber** Update revision number. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **wuDeviceid** Unique device ID used by Windows Update. + + ### Microsoft.Windows.Update.Orchestrator.FlightInapplicable This event indicates that the update is no longer applicable to this device. @@ -5169,6 +5444,48 @@ The following fields are available: - **wuDeviceid** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. +### Microsoft.Windows.Update.Orchestrator.InitiatingReboot + +This event sends data about an Orchestrator requesting a reboot from power management to help keep Windows up to date. + +The following fields are available: + +- **EventPublishedTime** Time of the event. +- **flightID** Unique update ID +- **interactive** Indicates whether the reboot initiation stage of the update process was entered as a result of user action. +- **rebootOutsideOfActiveHours** Indicates whether the reboot was to occur outside of active hours. +- **revisionNumber** Revision number of the update. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.Install + +This event sends launch data for a Windows Update install to help keep Windows up to date. + +The following fields are available: + +- **batteryLevel** Current battery capacity in mWh or percentage left. +- **deferReason** Reason for install not completing. +- **errorCode** The error code reppresented by a hexadecimal value. +- **eventScenario** End-to-end update session ID. +- **flightID** The specific ID of the Windows Insider build the device is getting. +- **flightUpdate** Indicates whether the update is a Windows Insider build. +- **ForcedRebootReminderSet** A boolean value that indicates if a forced reboot will happen for updates. +- **installCommitfailedtime** The time it took for a reboot to happen but the upgrade failed to progress. +- **installRebootinitiatetime** The time it took for a reboot to be attempted. +- **interactive** Identifies if session is user initiated. +- **minutesToCommit** The time it took to install updates. +- **rebootOutsideOfActiveHours** Indicates whether a reboot is scheduled outside of active hours. +- **revisionNumber** Update revision number. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. +- **wuDeviceid** Unique device ID used by Windows Update. + + ### Microsoft.Windows.Update.Orchestrator.LowUptimes This event is sent if a device is identified as not having sufficient uptime to reliably process updates in order to keep secure. @@ -5182,6 +5499,18 @@ The following fields are available: - **wuDeviceid** Unique device ID for Windows Update. +### Microsoft.Windows.Update.Orchestrator.OneshotUpdateDetection + +This event returns data about scans initiated through settings UI, or background scans that are urgent; to help keep Windows up to date. + +The following fields are available: + +- **externalOneshotupdate** The last time a task-triggered scan was completed. +- **interactiveOneshotupdate** The last time an interactive scan was completed. +- **oldlastscanOneshotupdate** The last time a scan completed successfully. +- **wuDeviceid** The Windows Update Device GUID (Globally-Unique ID). + + ### Microsoft.Windows.Update.Orchestrator.PreShutdownStart This event is generated before the shutdown and commit operations. @@ -5191,6 +5520,166 @@ The following fields are available: - **wuDeviceid** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. +### Microsoft.Windows.Update.Orchestrator.RebootFailed + +This event sends information about whether an update required a reboot and reasons for failure, to help keep Windows up to date. + +The following fields are available: + +- **batteryLevel** Current battery capacity in mWh or percentage left. +- **deferReason** Reason for install not completing. +- **EventPublishedTime** The time that the reboot failure occurred. +- **flightID** Unique update ID. +- **rebootOutsideOfActiveHours** Indicates whether a reboot was scheduled outside of active hours. +- **RebootResults** Hex code indicating failure reason. Typically, we expect this to be a specific USO generated hex code. +- **revisionNumber** Update revision number. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.RefreshSettings + +This event sends basic data about the version of upgrade settings applied to the system to help keep Windows up to date. + +The following fields are available: + +- **errorCode** Hex code for the error message, to allow lookup of the specific error. +- **settingsDownloadTime** Timestamp of the last attempt to acquire settings. +- **settingsETag** Version identifier for the settings. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.RestoreRebootTask + +This event sends data indicating that a reboot task is missing unexpectedly on a device and the task is restored because a reboot is still required, to help keep Windows up to date. + +The following fields are available: + +- **RebootTaskRestoredTime** Time at which this reboot task was restored. +- **wuDeviceid** Device ID for the device on which the reboot is restored. + + +### Microsoft.Windows.Update.Orchestrator.SystemNeeded + +This event sends data about why a device is unable to reboot, to help keep Windows up to date. + +The following fields are available: + +- **eventScenario** End-to-end update session ID. +- **rebootOutsideOfActiveHours** Indicates whether a reboot is scheduled outside of active hours. +- **revisionNumber** Update revision number. +- **systemNeededReason** List of apps or tasks that are preventing the system from restarting. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.UpdatePolicyCacheRefresh + +This event sends data on whether Update Management Policies were enabled on a device, to help keep Windows up to date. + +The following fields are available: + +- **configuredPoliciescount** Number of policies on the device. +- **policiesNamevaluesource** Policy name and source of policy (group policy, MDM or flight). +- **policyCacherefreshtime** Time when policy cache was refreshed. +- **updateInstalluxsetting** Indicates whether a user has set policies via a user experience option. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.updateSettingsFlushFailed + +This event sends information about an update that encountered problems and was not able to complete. + +The following fields are available: + +- **errorCode** The error code encountered. +- **wuDeviceid** The ID of the device in which the error occurred. + + +### Microsoft.Windows.Update.Orchestrator.USODiagnostics + +This event sends data on whether the state of the update attempt, to help keep Windows up to date. + +The following fields are available: + +- **errorCode** result showing success or failure of current update +- **LastApplicableUpdateFoundTime** The time when the last applicable update was found. +- **LastDownloadDeferredReason** The last reason download was deferred. +- **LastDownloadDeferredTime** The time of the download deferral. +- **LastDownloadFailureError** The last download failure. +- **LastDownloadFailureTime** The time of the last download failure. +- **LastInstallCompletedTime** The time when the last successful install completed. +- **LastInstallDeferredReason** The reason the last install was deferred. +- **LastInstallDeferredTime** The time when the last install was deferred. +- **LastInstallFailureError** The error code associated with the last install failure. +- **LastInstallFailureTime** The time when the last install failed to complete. +- **LastRebootDeferredReason** The reason the last reboot was deferred. +- **LastRebootDeferredTime** The time when the last reboot was deferred. +- **LastRebootPendingTime** The time when the last reboot state was set to “Pending”. +- **LastScanDeferredReason** The reason the last scan was deferred. +- **LastScanDeferredTime** The time when the last scan was deferred. +- **LastScanFailureError** The error code for the last scan failure. +- **LastScanFailureTime** The time when the last scan failed. +- **LastUpdateCheckTime** The time of the last update check. +- **LastUpdateDownloadTime** The time when the last update was downloaded. +- **LastUpgradeInstallFailureError** The error code for the last upgrade install failure. +- **LastUpgradeInstallFailureTime** The time of the last upgrade install failure. +- **LowUpTimeDetectTime** The last time “low up-time” was detected. +- **NoLowUpTimeDetectTime** The last time no “low up-time” was detected. +- **RebootRequired** Indicates reboot is required. +- **revisionNumber** Unique revision number of the Update +- **updateId** Unique ID for Update +- **updateState** Progress within an update state +- **UpgradeInProgressTime** The amount of time a feature update has been in progress. +- **WaaSFeatureAssessmentDays** The number of days Feature Update Assessment has been out of date. +- **WaaSFeatureAssessmentImpact** The impact of the Feature Update Assessment. +- **WaaSUpToDateAssessmentDays** The number of days Quality Update Assessment has been out of date. +- **WaaSUpToDateAssessmentImpact** The impact of Quality Update Assessment. +- **wuDeviceid** Unique ID for Device + + +### Microsoft.Windows.Update.Orchestrator.UsoSession + +This event represents the state of the USO service at start and completion. + +The following fields are available: + +- **activeSessionid** A unique session GUID. +- **eventScenario** The state of the update action. +- **interactive** Is the USO session interactive? +- **lastErrorcode** The last error that was encountered. +- **lastErrorstate** The state of the update when the last error was encountered. +- **sessionType** A GUID that refers to the update session type. +- **updateScenarioType** A descriptive update session type. +- **wuDeviceid** The Windows Update device GUID. + + +### Microsoft.Windows.Update.Ux.MusNotification.EnhancedEngagedRebootUxState + +This event sends information about the configuration of Enhanced Direct-to-Engaged (eDTE), which includes values for the timing of how eDTE will progress through each phase of the reboot. + +The following fields are available: + +- **AcceptAutoModeLimit** The maximum number of days for a device to automatically enter Auto Reboot mode. +- **AutoToAutoFailedLimit** The maximum number of days for Auto Reboot mode to fail before a Reboot Failed dialog will be shown. +- **DeviceLocalTime** The date and time (based on the device date/time settings) the reboot mode changed. +- **EngagedModeLimit** The number of days to switch between DTE (Direct-to-Engaged) dialogs. +- **EnterAutoModeLimit** The maximum number of days a device can enter Auto Reboot mode. +- **ETag** The Entity Tag that represents the OneSettings version. +- **IsForcedEnabled** Identifies whether Forced Reboot mode is enabled for the device. +- **IsUltimateForcedEnabled** Identifies whether Ultimate Forced Reboot mode is enabled for the device. +- **OldestUpdateLocalTime** The date and time (based on the device date/time settings) this update’s reboot began pending. +- **RebootUxState** Identifies the reboot state: Engaged, Auto, Forced, UltimateForced. +- **RebootVersion** The version of the DTE (Direct-to-Engaged). +- **SkipToAutoModeLimit** The maximum number of days to switch to start while in Auto Reboot mode. +- **UpdateId** The ID of the update that is waiting for reboot to finish installation. +- **UpdateRevision** The revision of the update that is waiting for reboot to finish installation. + + ### Microsoft.Windows.Update.Ux.MusNotification.RebootNoLongerNeeded This event is sent when a security update has successfully completed. @@ -5209,6 +5698,25 @@ The following fields are available: - **Reason** The reason sent which will cause the reboot to defer. +### Microsoft.Windows.Update.Ux.MusNotification.RebootScheduled + +This event sends basic information about scheduling an update-related reboot, to get security updates and to help keep Windows up-to-date. + +The following fields are available: + +- **activeHoursApplicable** Indicates whether Active Hours applies on this device. +- **forcedReboot** True, if a reboot is forced on the device. Otherwise, this is False +- **rebootArgument** Argument for the reboot task. It also represents specific reboot related action. +- **rebootOutsideOfActiveHours** True, if a reboot is scheduled outside of active hours. False, otherwise. +- **rebootScheduledByUser** True, if a reboot is scheduled by user. False, if a reboot is scheduled automatically. +- **rebootState** Current state of the reboot. +- **revisionNumber** Revision number of the update that is getting installed with this reboot. +- **scheduledRebootTime** Time scheduled for the reboot. +- **scheduledRebootTimeInUTC** Time scheduled for the reboot, in UTC. +- **updateId** Identifies which update is being scheduled. +- **wuDeviceid** Unique device ID used by Windows Update. + + ### Microsoft.Windows.Update.Ux.MusNotification.UxBrokerFirstReadyToReboot This event is fired the first time when the reboot is required. @@ -5227,7 +5735,7 @@ The following fields are available: ### Microsoft.Windows.Update.Ux.MusUpdateSettings.RebootScheduled -This event sends basic information for scheduling a device restart to install security updates. It's used to help keep Windows up-to-date +This event sends basic information for scheduling a device restart to install security updates. It's used to help keep Windows up to date. The following fields are available: @@ -5244,6 +5752,32 @@ The following fields are available: - **wuDeviceid** The Windows Update device GUID. +## Windows Update mitigation events + +### Mitigation360Telemetry.MitigationCustom.CleanupSafeOsImages + +This event sends data specific to the CleanupSafeOsImages mitigation used for OS Updates. + +The following fields are available: + +- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightId** Unique identifier for each flight. +- **InstanceId** Unique GUID that identifies each instances of setuphost.exe. +- **MitigationScenario** The update scenario in which the mitigation was executed. +- **MountedImageCount** Number of mounted images. +- **MountedImageMatches** Number of mounted images that were under %systemdrive%\$Windows.~BT. +- **MountedImagesFailed** Number of mounted images under %systemdrive%\$Windows.~BT that could not be removed. +- **MountedImagesRemoved** Number of mounted images under %systemdrive%\$Windows.~BT that were successfully removed. +- **MountedImagesSkipped** Number of mounted images that were not under %systemdrive%\$Windows.~BT. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** HResult of this operation. +- **ScenarioId** ID indicating the mitigation scenario. +- **ScenarioSupported** Indicates whether the scenario was supported. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each Update. +- **WuId** Unique ID for the Windows Update client. + + ## Winlogon events ### Microsoft.Windows.Security.Winlogon.SetupCompleteLogon diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index 9af3127db4..8fed168ec8 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -9,7 +9,7 @@ ms.pagetype: security localizationpriority: high author: brianlic-msft ms.author: brianlic -ms.date: 09/10/2018 +ms.date: 11/07/2018 --- @@ -28,6 +28,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th You can learn more about Windows functional and diagnostic data through these articles: + - [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) - [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) - [Windows 10, version 1703 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md) @@ -35,6 +36,8 @@ You can learn more about Windows functional and diagnostic data through these ar - [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) + + ## Appraiser events ### Microsoft.Windows.Appraiser.General.ChecksumTotalPictureCount @@ -75,7 +78,7 @@ The following fields are available: - **DecisionSystemBios_RS3** The total DecisionSystemBios objects targeting the next release of Windows on this device. - **DecisionTest_RS1** An ID for the system, calculated by hashing hardware identifiers. - **InventoryApplicationFile** The count of the number of this particular object type present on this device. -- **InventoryLanguagePack** The count of the number of this particular object type present on this device. +- **InventoryLanguagePack** The count of InventoryLanguagePack objects present on this machine. - **InventoryMediaCenter** The count of the number of this particular object type present on this device. - **InventorySystemBios** The count of the number of this particular object type present on this device. - **InventoryTest** The count of the number of this particular object type present on this device. @@ -575,6 +578,17 @@ The following fields are available: - **AppraiserVersion** The version of the Appraiser file that is generating the events. +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeStartSync + +This event indicates that a new set of DecisionMatchingInfoPostUpgradeAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + ### Microsoft.Windows.Appraiser.General.DecisionMediaCenterAdd This event sends decision data about the presence of Windows Media Center, to help keep Windows up to date. @@ -822,6 +836,31 @@ The following fields are available: - **AppraiserVersion** The version of the Appraiser file that is generating the events. +### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageAdd + +This event is only runs during setup. It provides a listing of the uplevel driver packages that were downloaded before the upgrade. Is critical to understanding if failures in setup can be traced to not having sufficient uplevel drivers before the upgrade. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **BootCritical** Is the driver package marked as boot critical? +- **Build** The build value from the driver package. +- **CatalogFile** The name of the catalog file within the driver package. +- **Class** The device class from the driver package. +- **ClassGuid** The device class unique ID from the driver package. +- **Date** The date from the driver package. +- **Inbox** Is the driver package of a driver that is included with Windows? +- **OriginalName** The original name of the INF file before it was renamed. Generally a path under $WINDOWS.~BT\Drivers\DU. +- **Provider** The provider of the driver package. +- **PublishedName** The name of the INF file after it was renamed. +- **Revision** The revision of the driver package. +- **SignatureStatus** Indicates if the driver package is signed. Unknown = 0, Unsigned = 1, Signed = 2. +- **VersionMajor** The major version of the driver package. +- **VersionMinor** The minor version of the driver package. + + ### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageRemove This event indicates that the InventoryUplevelDriverPackage object is no longer present. @@ -1179,6 +1218,23 @@ The following fields are available: - **AppraiserVersion** The version of the Appraiser file that is generating the events. +### Microsoft.Windows.Appraiser.General.SystemWlanAdd + +This event sends data indicating whether the system has WLAN, and if so, whether it uses an emulated driver that could block an upgrade, to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **Blocking** Is the upgrade blocked because of an emulated WLAN driver? +- **HasWlanBlock** Does the emulated WLAN driver have an upgrade block? +- **WlanEmulatedDriver** Does the device have an emulated WLAN driver? +- **WlanExists** Does the device support WLAN at all? +- **WlanModulePresent** Are any WLAN modules present? +- **WlanNativeDriver** Does the device have a non-emulated WLAN driver? + + ### Microsoft.Windows.Appraiser.General.SystemWlanRemove This event indicates that the SystemWlan object is no longer present. @@ -1292,7 +1348,7 @@ The following fields are available: - **AppraiserTaskExitCode** The Appraiser task exist code. - **AppraiserTaskLastRun** The last runtime for the Appraiser task. - **CensusVersion** The version of Census that generated the current data for this device. -- **IEVersion** Retrieves which version of Internet Explorer is running on this device. +- **IEVersion** IE version running on the device. ### Census.Battery @@ -2594,6 +2650,91 @@ The following fields are available: - **CV** Correlation vector. +## DxgKernelTelemetry events + +### DxgKrnlTelemetry.GPUAdapterInventoryV2 + +This event sends basic GPU and display driver information to keep Windows and display drivers up-to-date. + +The following fields are available: + +- **AdapterTypeValue** The numeric value indicating the type of Graphics adapter. +- **aiSeqId** The event sequence ID. +- **bootId** The system boot ID. +- **BrightnessVersionViaDDI** The version of the Display Brightness Interface. +- **ComputePreemptionLevel** The maximum preemption level supported by GPU for compute payload. +- **DedicatedSystemMemoryB** The amount of system memory dedicated for GPU use (in bytes). +- **DedicatedVideoMemoryB** The amount of dedicated VRAM of the GPU (in bytes). +- **DisplayAdapterLuid** The display adapter LUID. +- **DriverDate** The date of the display driver. +- **DriverRank** The rank of the display driver. +- **DriverVersion** The display driver version. +- **DX10UMDFilePath** The file path to the location of the DirectX 10 Display User Mode Driver in the Driver Store. +- **DX11UMDFilePath** The file path to the location of the DirectX 11 Display User Mode Driver in the Driver Store. +- **DX12UMDFilePath** The file path to the location of the DirectX 12 Display User Mode Driver in the Driver Store. +- **DX9UMDFilePath** The file path to the location of the DirectX 9 Display User Mode Driver in the Driver Store. +- **GPUDeviceID** The GPU device ID. +- **GPUPreemptionLevel** The maximum preemption level supported by GPU for graphics payload. +- **GPURevisionID** The GPU revision ID. +- **GPUVendorID** The GPU vendor ID. +- **InterfaceId** The GPU interface ID. +- **IsDisplayDevice** Does the GPU have displaying capabilities? +- **IsHybridDiscrete** Does the GPU have discrete GPU capabilities in a hybrid device? +- **IsHybridIntegrated** Does the GPU have integrated GPU capabilities in a hybrid device? +- **IsLDA** Is the GPU comprised of Linked Display Adapters? +- **IsMiracastSupported** Does the GPU support Miracast? +- **IsMismatchLDA** Is at least one device in the Linked Display Adapters chain from a different vendor? +- **IsMPOSupported** Does the GPU support Multi-Plane Overlays? +- **IsMsMiracastSupported** Are the GPU Miracast capabilities driven by a Microsoft solution? +- **IsPostAdapter** Is this GPU the POST GPU in the device? +- **IsRemovable** TRUE if the adapter supports being disabled or removed. +- **IsRenderDevice** Does the GPU have rendering capabilities? +- **IsSoftwareDevice** Is this a software implementation of the GPU? +- **KMDFilePath** The file path to the location of the Display Kernel Mode Driver in the Driver Store. +- **MeasureEnabled** Is the device listening to MICROSOFT_KEYWORD_MEASURES? +- **NumVidPnSources** The number of supported display output sources. +- **NumVidPnTargets** The number of supported display output targets. +- **SharedSystemMemoryB** The amount of system memory shared by GPU and CPU (in bytes). +- **SubSystemID** The subsystem ID. +- **SubVendorID** The GPU sub vendor ID. +- **TelemetryEnabled** Is the device listening to MICROSOFT_KEYWORD_TELEMETRY? +- **TelInvEvntTrigger** What triggered this event to be logged? Example: 0 (GPU enumeration) or 1 (DxgKrnlTelemetry provider toggling) +- **version** The event version. +- **WDDMVersion** The Windows Display Driver Model version. + + +## Fault Reporting events + +### Microsoft.Windows.FaultReporting.AppCrashEvent + +This event sends data about crashes for both native and managed applications, to help keep Windows up to date. The data includes information about the crashing process and a summary of its exception record. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the crash to the Watson service, and the WER event will contain the same ReportID (see field 14 of crash event, field 19 of WER event) as the crash event for the crash being reported. AppCrash is emitted once for each crash handled by WER (e.g. from an unhandled exception or FailFast or ReportException). Note that Generic Watson event types (e.g. from PLM) that may be considered crashes\" by a user DO NOT emit this event. + +The following fields are available: + +- **AppName** The name of the app that has crashed. +- **AppSessionGuid** GUID made up of process ID and is used as a correlation vector for process instances in the telemetry backend. +- **AppTimeStamp** The date/time stamp of the app. +- **AppVersion** The version of the app that has crashed. +- **ExceptionCode** The exception code returned by the process that has crashed. +- **ExceptionOffset** The address where the exception had occurred. +- **Flags** Flags indicating how reporting is done. For example, queue the report, do not offer JIT debugging, or do not terminate the process after reporting. +- **FriendlyAppName** The description of the app that has crashed, if different from the AppName. Otherwise, the process name. +- **IsCrashFatal** (Deprecated) True/False to indicate whether the crash resulted in process termination. +- **IsFatal** True/False to indicate whether the crash resulted in process termination. +- **ModName** Exception module name (e.g. bar.dll). +- **ModTimeStamp** The date/time stamp of the module. +- **ModVersion** The version of the module that has crashed. +- **PackageFullName** Store application identity. +- **PackageRelativeAppId** Store application identity. +- **ProcessArchitecture** Architecture of the crashing process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64. +- **ProcessCreateTime** The time of creation of the process that has crashed. +- **ProcessId** The ID of the process that has crashed. +- **ReportId** A GUID used to identify the report. This can used to track the report across Watson. +- **TargetAppId** The kernel reported AppId of the application being reported. +- **TargetAppVer** The specific version of the application being reported +- **TargetAsId** The sequence number for the hanging process. + + ## Feature update events ### Microsoft.Windows.Upgrade.Uninstall.UninstallFailed @@ -2618,6 +2759,34 @@ This event sends basic metadata about the starting point of uninstalling a featu +## Hang Reporting events + +### Microsoft.Windows.HangReporting.AppHangEvent + +This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events. + +The following fields are available: + +- **AppName** The name of the app that has hung. +- **AppSessionGuid** GUID made up of process id used as a correlation vector for process instances in the telemetry backend. +- **AppVersion** The version of the app that has hung. +- **IsFatal** True/False based on whether the hung application caused the creation of a Fatal Hang Report. +- **PackageFullName** Store application identity. +- **PackageRelativeAppId** Store application identity. +- **ProcessArchitecture** Architecture of the hung process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64. +- **ProcessCreateTime** The time of creation of the process that has hung. +- **ProcessId** The ID of the process that has hung. +- **ReportId** A GUID used to identify the report. This can used to track the report across Watson. +- **TargetAppId** The kernel reported AppId of the application being reported. +- **TargetAppVer** The specific version of the application being reported. +- **TargetAsId** The sequence number for the hanging process. +- **TypeCode** Bitmap describing the hang type. +- **WaitingOnAppName** If this is a cross process hang waiting for an application, this has the name of the application. +- **WaitingOnAppVersion** If this is a cross process hang, this has the version of the application for which it is waiting. +- **WaitingOnPackageFullName** If this is a cross process hang waiting for a package, this has the full name of the package for which it is waiting. +- **WaitingOnPackageRelativeAppId** If this is a cross process hang waiting for a package, this has the relative application id of the package. + + ## Inventory events ### Microsoft.Windows.Inventory.Core.AmiTelCacheChecksum @@ -2693,6 +2862,18 @@ The following fields are available: - **Version** The version number of the program. +### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverAdd + +This event represents what drivers an application installs. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory component. +- **ProgramIds** The unique program identifier the driver is associated with. + + ### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkAdd This event provides the basic metadata about the frameworks an application may depend on. @@ -2839,6 +3020,17 @@ The following fields are available: - **InventoryVersion** The version of the inventory file generating the events. +### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassRemove + +This event indicates that the InventoryDeviceMediaClassRemove object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + ### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassStartSync This event indicates that a new set of InventoryDeviceMediaClassSAdd events will be sent. @@ -2873,7 +3065,7 @@ The following fields are available: - **Enumerator** The date of the driver loaded for the device. - **HWID** The version of the driver loaded for the device. - **Inf** The bus that enumerated the device. -- **InstallState** The device installation state. One of these values: https://msdn.microsoft.com/library/windows/hardware/ff543130.aspx +- **InstallState** The device installation state. One of these values: https://msdn.microsoft.com/en-us/library/windows/hardware/ff543130.aspx - **InventoryVersion** List of hardware ids for the device. - **LowerClassFilters** Lower filter class drivers IDs installed for the device - **LowerFilters** Lower filter drivers IDs installed for the device @@ -3438,6 +3630,557 @@ The following fields are available: - **UptimeDeltaMS** Total time (in milliseconds) added to Uptime since the last event +## OneDrive events + +### Microsoft.OneDrive.Sync.Setup.APIOperation + +This event includes basic data about install and uninstall OneDrive API operations. + +The following fields are available: + +- **APIName** The name of the API. +- **Duration** How long the operation took. +- **IsSuccess** Was the operation successful? +- **ResultCode** The result code. +- **ScenarioName** The name of the scenario. + + +### Microsoft.OneDrive.Sync.Setup.EndExperience + +This event includes a success or failure summary of the installation. + +The following fields are available: + +- **APIName** The name of the API. +- **HResult** HResult of the operation +- **IsSuccess** Whether the operation is successful or not +- **ScenarioName** The name of the scenario. + + +### Microsoft.OneDrive.Sync.Setup.OSUpgradeInstallationOperation + +This event is related to the OS version when the OS is upgraded with OneDrive installed. + +The following fields are available: + +- **CurrentOneDriveVersion** The current version of OneDrive. +- **CurrentOSBuildBranch** The current branch of the operating system. +- **CurrentOSBuildNumber** The current build number of the operating system. +- **CurrentOSVersion** The current version of the operating system. +- **HResult** The HResult of the operation. +- **SourceOSBuildBranch** The source branch of the operating system. +- **SourceOSBuildNumber** The source build number of the operating system. +- **SourceOSVersion** The source version of the operating system. + + +### Microsoft.OneDrive.Sync.Setup.RegisterStandaloneUpdaterAPIOperation + +This event is related to registering or unregistering the OneDrive update task. + +The following fields are available: + +- **APIName** The name of the API. +- **IsSuccess** Was the operation successful? +- **RegisterNewTaskResult** The HResult of the RegisterNewTask operation. +- **ScenarioName** The name of the scenario. +- **UnregisterOldTaskResult** The HResult of the UnregisterOldTask operation. + + +### Microsoft.OneDrive.Sync.Updater.ComponentInstallState + +This event includes basic data about the installation state of dependent OneDrive components. + +The following fields are available: + +- **ComponentName** The name of the dependent component. +- **isInstalled** Is the dependent component installed? + + +### Microsoft.OneDrive.Sync.Updater.OverlayIconStatus + +This event indicates if the OneDrive overlay icon is working correctly. 0 = healthy; 1 = can be fixed; 2 = broken + +The following fields are available: + +- **32bit** The status of the OneDrive overlay icon on a 32-bit operating system. +- **64bit** The status of the OneDrive overlay icon on a 64-bit operating system. + + +### Microsoft.OneDrive.Sync.Updater.UpdateOverallResult + +This event sends information describing the result of the update. + +The following fields are available: + +- **hr** The HResult of the operation. +- **IsLoggingEnabled** Indicates whether logging is enabled for the updater. +- **UpdaterVersion** The version of the updater. + + +### Microsoft.OneDrive.Sync.Updater.UpdateXmlDownloadHResult + +This event determines the status when downloading the OneDrive update configuration file. + +The following fields are available: + +- **hr** The HResult of the operation. + + +### Microsoft.OneDrive.Sync.Updater.WebConnectionStatus + +This event determines the error code that was returned when verifying Internet connectivity. + +The following fields are available: + +- **winInetError** The HResult of the operation. + + +## Other events + +### CbsServicingProvider.CbsCapabilityEnumeration + +This event reports on the results of scanning for optional Windows content on Windows Update. + +The following fields are available: + +- **architecture** Indicates the scan was limited to the specified architecture. +- **capabilityCount** The number of optional content packages found during the scan. +- **clientId** The name of the application requesting the optional content. +- **duration** The amount of time it took to complete the scan. +- **hrStatus** The HReturn code of the scan. +- **language** Indicates the scan was limited to the specified language. +- **majorVersion** Indicates the scan was limited to the specified major version. +- **minorVersion** Indicates the scan was limited to the specified minor version. +- **namespace** Indicates the scan was limited to packages in the specified namespace. +- **sourceFilter** A bitmask indicating the scan checked for locally available optional content. +- **stackBuild** The build number of the servicing stack. +- **stackMajorVersion** The major version number of the servicing stack. +- **stackMinorVersion** The minor version number of the servicing stack. +- **stackRevision** The revision number of the servicing stack. + + +### CbsServicingProvider.CbsCapabilitySessionFinalize + +This event provides information about the results of installing or uninstalling optional Windows content from Windows Update. + +The following fields are available: + +- **capabilities** The names of the optional content packages that were installed. +- **clientId** The name of the application requesting the optional content. +- **currentID** The ID of the current install session. +- **highestState** The highest final install state of the optional content. +- **hrStatus** The HReturn code of the install operation. +- **rebootCount** The number of reboots required to complete the install. +- **retryID** The session ID that will be used to retry a failed operation. +- **retryStatus** Indicates whether the install will be retried in the event of failure. +- **stackBuild** The build number of the servicing stack. +- **stackMajorVersion** The major version number of the servicing stack. +- **stackMinorVersion** The minor version number of the servicing stack. +- **stackRevision** The revision number of the servicing stack. + + +### CbsServicingProvider.CbsCapabilitySessionPended + +This event provides information about the results of installing optional Windows content that requires a reboot to keep Windows up to date. + +The following fields are available: + +- **clientId** The name of the application requesting the optional content. +- **pendingDecision** Indicates the cause of reboot, if applicable. + + +### CbsServicingProvider.CbsPackageRemoval + +This event provides information about the results of uninstalling a Windows Cumulative Security Update to help keep Windows up to date. + +The following fields are available: + +- **buildVersion** The build number of the security update being uninstalled. +- **clientId** The name of the application requesting the uninstall. +- **currentStateEnd** The final state of the update after the operation. +- **failureDetails** Information about the cause of a failure, if applicable. +- **failureSourceEnd** The stage during the uninstall where the failure occurred. +- **hrStatusEnd** The overall exit code of the operation. +- **initiatedOffline** Indicates if the uninstall was initiated for a mounted Windows image. +- **majorVersion** The major version number of the security update being uninstalled. +- **minorVersion** The minor version number of the security update being uninstalled. +- **originalState** The starting state of the update before the operation. +- **pendingDecision** Indicates the cause of reboot, if applicable. +- **primitiveExecutionContext** The state during system startup when the uninstall was completed. +- **revisionVersion** The revision number of the security update being uninstalled. +- **transactionCanceled** Indicates whether the uninstall was cancelled. + + +### Microsoft.Windows.Remediation.Applicable + +This event indicates a remedial plug-in is applicable if/when such a plug-in is detected. This is used to ensure Windows is up to date. + +The following fields are available: + +- **ActionName** The name of the action to be taken by the plug-in. +- **AppraiserBinariesValidResult** Indicates whether plug-in was appraised as valid. +- **AppraiserDetectCondition** Indicates whether the plug-in passed the appraiser's check. +- **AppraiserRegistryValidResult** Indicates whether the registry entry checks out as valid. +- **AppraiserTaskDisabled** Indicates the appraiser task is disabled. +- **AppraiserTaskValidFailed** Indicates the Appraiser task did not function and requires intervention. +- **CV** Correlation vector +- **DateTimeDifference** The difference between local and reference clock times. +- **DateTimeSyncEnabled** Indicates whether the datetime sync plug-in is enabled. +- **DaysSinceLastSIH** The number of days since the most recent SIH executed. +- **DaysToNextSIH** The number of days until the next scheduled SIH execution. +- **DetectedCondition** Indicates whether detect condition is true and the perform action will be run. +- **EvalAndReportAppraiserBinariesFailed** Indicates the EvalAndReportAppraiserBinaries event failed. +- **EvalAndReportAppraiserRegEntries** Indicates the EvalAndReportAppraiserRegEntriesFailed event failed. +- **EvalAndReportAppraiserRegEntriesFailed** Indicates the EvalAndReportAppraiserRegEntriesFailed event failed. +- **GlobalEventCounter** Client side counter that indicates ordering of events sent by the remediation system. +- **HResult** The HRESULT for detection or perform action phases of the plugin. +- **IsAppraiserLatestResult** The HRESULT from the appraiser task. +- **IsConfigurationCorrected** Indicates whether the configuration of SIH task was successfully corrected. +- **LastHresult** The HRESULT for detection or perform action phases of the plugin. +- **LastRun** The date of the most recent SIH run. +- **NextRun** Date of the next scheduled SIH run. +- **PackageVersion** The version of the current remediation package. +- **PluginName** Name of the plugin specified for each generic plugin event. +- **Reload** True if SIH reload is required. +- **RemediationNoisyHammerAcLineStatus** Event that indicates the AC Line Status of the machine. +- **RemediationNoisyHammerAutoStartCount** The number of times hammer auto-started. +- **RemediationNoisyHammerCalendarTaskEnabled** Event that indicates Update Assistant Calendar Task is enabled. +- **RemediationNoisyHammerCalendarTaskExists** Event that indicates an Update Assistant Calendar Task exists. +- **RemediationNoisyHammerCalendarTaskTriggerEnabledCount** Event that indicates calendar triggers are enabled in the task. +- **RemediationNoisyHammerDaysSinceLastTaskRunTime** The number of days since the most recent hammer task ran. +- **RemediationNoisyHammerGetCurrentSize** Size in MB of the $GetCurrent folder. +- **RemediationNoisyHammerIsInstalled** TRUE if the noisy hammer is installed. +- **RemediationNoisyHammerLastTaskRunResult** The result of the last hammer task run. +- **RemediationNoisyHammerMeteredNetwork** TRUE if the machine is on a metered network. +- **RemediationNoisyHammerTaskEnabled** Indicates whether the Update Assistant Task (Noisy Hammer) is enabled. +- **RemediationNoisyHammerTaskExists** Indicates whether the Update Assistant Task (Noisy Hammer) exists. +- **RemediationNoisyHammerTaskTriggerEnabledCount** Indicates whether counting is enabled for the Update Assistant (Noisy Hammer) task trigger. +- **RemediationNoisyHammerUAExitCode** The exit code of the Update Assistant (Noisy Hammer) task. +- **RemediationNoisyHammerUAExitState** The code for the exit state of the Update Assistant (Noisy Hammer) task. +- **RemediationNoisyHammerUserLoggedIn** TRUE if there is a user logged in. +- **RemediationNoisyHammerUserLoggedInAdmin** TRUE if there is the user currently logged in is an Admin. +- **RemediationShellDeviceManaged** TRUE if the device is WSUS managed or Windows Updated disabled. +- **RemediationShellDeviceNewOS** TRUE if the device has a recently installed OS. +- **RemediationShellDeviceSccm** TRUE if the device is managed by SCCM (Microsoft System Center Configuration Manager). +- **RemediationShellDeviceZeroExhaust** TRUE if the device has opted out of Windows Updates completely. +- **RemediationTargetMachine** Indicates whether the device is a target of the specified fix. +- **RemediationTaskHealthAutochkProxy** True/False based on the health of the AutochkProxy task. +- **RemediationTaskHealthChkdskProactiveScan** True/False based on the health of the Check Disk task. +- **RemediationTaskHealthDiskCleanup_SilentCleanup** True/False based on the health of the Disk Cleanup task. +- **RemediationTaskHealthMaintenance_WinSAT** True/False based on the health of the Health Maintenance task. +- **RemediationTaskHealthServicing_ComponentCleanupTask** True/False based on the health of the Health Servicing Component task. +- **RemediationTaskHealthUSO_ScheduleScanTask** True/False based on the health of the USO (Update Session Orchestrator) Schedule task. +- **RemediationTaskHealthWindowsUpdate_ScheduledStartTask** True/False based on the health of the Windows Update Scheduled Start task. +- **RemediationTaskHealthWindowsUpdate_SihbootTask** True/False based on the health of the Sihboot task. +- **RemediationUHServiceBitsServiceEnabled** Indicates whether BITS service is enabled. +- **RemediationUHServiceDeviceInstallEnabled** Indicates whether Device Install service is enabled. +- **RemediationUHServiceDoSvcServiceEnabled** Indicates whether DO service is enabled. +- **RemediationUHServiceDsmsvcEnabled** Indicates whether DSMSVC service is enabled. +- **RemediationUHServiceLicensemanagerEnabled** Indicates whether License Manager service is enabled. +- **RemediationUHServiceMpssvcEnabled** Indicates whether MPSSVC service is enabled. +- **RemediationUHServiceTokenBrokerEnabled** Indicates whether Token Broker service is enabled. +- **RemediationUHServiceTrustedInstallerServiceEnabled** Indicates whether Trusted Installer service is enabled. +- **RemediationUHServiceUsoServiceEnabled** Indicates whether USO (Update Session Orchestrator) service is enabled. +- **RemediationUHServicew32timeServiceEnabled** Indicates whether W32 Time service is enabled. +- **RemediationUHServiceWecsvcEnabled** Indicates whether WECSVC service is enabled. +- **RemediationUHServiceWinmgmtEnabled** Indicates whether WMI service is enabled. +- **RemediationUHServiceWpnServiceEnabled** Indicates whether WPN service is enabled. +- **RemediationUHServiceWuauservServiceEnabled** Indicates whether WUAUSERV service is enabled. +- **Result** This is the HRESULT for Detection or Perform Action phases of the plugin. +- **RunAppraiserFailed** Indicates RunAppraiser failed to run correctly. +- **RunTask** TRUE if SIH task should be run by the plug-in. +- **TimeServiceNTPServer** The URL for the NTP time server used by device. +- **TimeServiceStartType** The startup type for the NTP time service. +- **TimeServiceSyncDomainJoined** True if device domain joined and hence uses DC for clock. +- **TimeServiceSyncType** Type of sync behavior for Date & Time service on device. + + +### Microsoft.Windows.Remediation.ChangePowerProfileDetection + +Indicates whether the remediation system can put in a request to defer a system-initiated sleep to enable installation of security or quality updates. + +The following fields are available: + +- **ActionName** A descriptive name for the plugin action +- **CurrentPowerPlanGUID** The ID of the current power plan configured on the device +- **CV** Correlation vector +- **GlobalEventCounter** Counter that indicates the ordering of events on the device +- **PackageVersion** Current package version of remediation service +- **RemediationBatteryPowerBatteryLevel** Integer between 0 and 100 indicating % battery power remaining (if not on battery, expect 0) +- **RemediationFUInProcess** Result that shows whether the device is currently installing a feature update +- **RemediationFURebootRequred** Indicates that a feature update reboot required was detected so the plugin will exit. +- **RemediationScanInProcess** Result that shows whether the device is currently scanning for updates +- **RemediationTargetMachine** Result that shows whether this device is a candidate for remediation(s) that will fix update issues +- **SetupMutexAvailable** Result that shows whether setup mutex is available or not +- **SysPowerStatusAC** Result that shows whether system is on AC power or not + + +### Microsoft.Windows.Remediation.Completed + +This event enables completion tracking of a process that remediates issues preventing security and quality updates. + +The following fields are available: + +- **ActionName** Name of the action to be completed by the plug-in. +- **AppraiserTaskCreationFailed** TRUE if the appraiser task creation failed to complete successfully. +- **AppraiserTaskDeleteFailed** TRUE if deletion of appraiser task failed to complete successfully. +- **AppraiserTaskExistFailed** TRUE if detection of the appraiser task failed to complete successfully. +- **AppraiserTaskLoadXmlFailed** TRUE if the Appraiser XML Loader failed to complete successfully. +- **AppraiserTaskMissing** TRUE if the Appraiser task is missing. +- **AppraiserTaskTimeTriggerUpdateFailedId** TRUE if the Appraiser Task Time Trigger failed to update successfully. +- **AppraiserTaskValidateTaskXmlFailed** TRUE if the Appraiser Task XML failed to complete successfully. +- **branchReadinessLevel** Branch readiness level policy. +- **cloudControlState** Value indicating whether the shell is enabled on the cloud control settings. +- **CrossedDiskSpaceThreshold** Indicates if cleanup resulted in hard drive usage threshold required for feature update to be exceeded. +- **CV** The Correlation Vector. +- **DateTimeDifference** The difference between the local and reference clocks. +- **DaysSinceOsInstallation** The number of days since the installation of the Operating System. +- **DiskMbCleaned** The amount of space cleaned on the hard disk, measured in Megabytes. +- **DiskMbFreeAfterCleanup** The amount of free hard disk space after cleanup, measured in Megabytes. +- **DiskMbFreeBeforeCleanup** The amount of free hard disk space before cleanup, measured in Megabytes. +- **ForcedAppraiserTaskTriggered** TRUE if Appraiser task ran from the plug-in. +- **GlobalEventCounter** Client-side counter that indicates ordering of events sent by the active user. +- **HandlerCleanupFreeDiskInMegabytes** The amount of hard disk space cleaned by the storage sense handlers, measured in Megabytes. +- **hasRolledBack** Indicates whether the client machine has rolled back. +- **hasUninstalled** Indicates whether the client machine has uninstalled a later version of the OS. +- **hResult** The result of the event execution. +- **HResult** The result of the event execution. +- **installDate** The value of installDate registry key. Indicates the install date. +- **isNetworkMetered** Indicates whether the client machine has uninstalled a later version of the OS. +- **LatestState** The final state of the plug-in component. +- **MicrosoftCompatibilityAppraiser** The name of the component targeted by the Appraiser plug-in. +- **PackageVersion** The package version for the current Remediation. +- **PageFileCount** The number of Windows Page files. +- **PageFileCurrentSize** The size of the Windows Page file, measured in Megabytes. +- **PageFileLocation** The storage location (directory path) of the Windows Page file. +- **PageFilePeakSize** The maximum amount of hard disk space used by the Windows Page file, measured in Megabytes. +- **PluginName** The name of the plug-in specified for each generic plug-in event. +- **RanCleanup** TRUE if the plug-in ran disk cleanup. +- **RemediationBatteryPowerBatteryLevel** Indicates the battery level at which it is acceptable to continue operation. +- **RemediationBatteryPowerExitDueToLowBattery** True when we exit due to low battery power. +- **RemediationBatteryPowerOnBattery** True if we allow execution on battery. +- **RemediationConfigurationTroubleshooterExecuted** True/False based on whether the Remediation Configuration Troubleshooter executed successfully. +- **RemediationConfigurationTroubleshooterIpconfigFix** TRUE if IPConfig Fix completed successfully. +- **RemediationConfigurationTroubleshooterNetShFix** TRUE if network card cache reset ran successfully. +- **RemediationDiskCleanSizeBtWindowsFolderInMegabytes** The size of the Windows BT folder (used to store Windows upgrade files), measured in Megabytes. +- **RemediationDiskCleanupBTFolderEsdSizeInMB** The size of the Windows BT folder (used to store Windows upgrade files) ESD (Electronic Software Delivery), measured in Megabytes. +- **RemediationDiskCleanupGetCurrentEsdSizeInMB** The size of any existing ESD (Electronic Software Delivery) folder, measured in Megabytes. +- **RemediationDiskCleanupSearchFileSizeInMegabytes** The size of the Cleanup Search index file, measured in Megabytes. +- **RemediationDiskCleanupUpdateAssistantSizeInMB** The size of the Update Assistant folder, measured in Megabytes. +- **RemediationDoorstopChangeSucceeded** TRUE if Doorstop registry key was successfully modified. +- **RemediationDoorstopExists** TRUE if there is a One Settings Doorstop value. +- **RemediationDoorstopRegkeyError** TRUE if an error occurred accessing the Doorstop registry key. +- **RemediationDRFKeyDeleteSucceeded** TRUE if the RecoveredFrom (Doorstop) registry key was successfully deleted. +- **RemediationDUABuildNumber** The build number of the DUA. +- **RemediationDUAKeyDeleteSucceeded** TRUE if the UninstallActive registry key was successfully deleted. +- **RemediationDuplicateTokenSucceeded** TRUE if the user token was successfully duplicated. +- **remediationExecution** Remediation shell is in "applying remediation" state. +- **RemediationHibernationMigrated** TRUE if hibernation was migrated. +- **RemediationHibernationMigrationSucceeded** TRUE if hibernation migration succeeded. +- **RemediationImpersonateUserSucceeded** TRUE if the user was successfully impersonated. +- **RemediationNoisyHammerTaskKickOffIsSuccess** TRUE if the NoisyHammer task started successfully. +- **RemediationQueryTokenSucceeded** TRUE if the user token was successfully queried. +- **RemediationRanHibernation** TRUE if the system entered Hibernation. +- **RemediationRevertToSystemSucceeded** TRUE if reversion to the system context succeeded. +- **RemediationShellHasUpgraded** TRUE if the device upgraded. +- **RemediationShellMinimumTimeBetweenShellRuns** Indicates the time between shell runs exceeded the minimum required to execute plugins. +- **RemediationShellRunFromService** TRUE if the shell driver was run from the service. +- **RemediationShellSessionIdentifier** Unique identifier tracking a shell session. +- **RemediationShellSessionTimeInSeconds** Indicates the time the shell session took in seconds. +- **RemediationShellTaskDeleted** Indicates that the shell task has been deleted so no additional sediment pack runs occur for this installation. +- **RemediationUpdateServiceHealthRemediationResult** The result of the Update Service Health plug-in. +- **RemediationUpdateTaskHealthRemediationResult** The result of the Update Task Health plug-in. +- **RemediationUpdateTaskHealthTaskList** A list of tasks fixed by the Update Task Health plug-in. +- **RemediationWindowsLogSpaceFound** The size of the Windows log files found, measured in Megabytes. +- **RemediationWindowsLogSpaceFreed** The amount of disk space freed by deleting the Windows log files, measured in Megabytes. +- **RemediationWindowsSecondaryDriveFreeSpace** The amount of free space on the secondary drive, measured in Megabytes. +- **RemediationWindowsSecondaryDriveLetter** The letter designation of the first secondary drive with a total capacity of 10GB or more. +- **RemediationWindowsSecondaryDriveTotalSpace** The total storage capacity of the secondary drive, measured in Megabytes. +- **RemediationWindowsTotalSystemDiskSize** The total storage capacity of the System Disk Drive, measured in Megabytes. +- **Result** The HRESULT for Detection or Perform Action phases of the plug-in. +- **RunResult** The HRESULT for Detection or Perform Action phases of the plug-in. +- **ServiceHealthPlugin** The nae of the Service Health plug-in. +- **StartComponentCleanupTask** TRUE if the Component Cleanup task started successfully. +- **systemDriveFreeDiskSpace** Indicates the free disk space on system drive in MBs. +- **systemUptimeInHours** Indicates the amount of time the system in hours has been on since the last boot. +- **TotalSizeofOrphanedInstallerFilesInMegabytes** The size of any orphaned Windows Installer files, measured in Megabytes. +- **TotalSizeofStoreCacheAfterCleanupInMegabytes** The size of the Windows Store cache after cleanup, measured in Megabytes. +- **TotalSizeofStoreCacheBeforeCleanupInMegabytes** The size of the Windows Store cache (prior to cleanup), measured in Megabytes. +- **uninstallActive** TRUE if previous uninstall has occurred for current OS +- **usoScanDaysSinceLastScan** The number of days since the last USO (Update Session Orchestrator) scan. +- **usoScanInProgress** TRUE if a USO (Update Session Orchestrator) scan is in progress, to prevent multiple simultaneous scans. +- **usoScanIsAllowAutoUpdateKeyPresent** TRUE if the AllowAutoUpdate registry key is set. +- **usoScanIsAllowAutoUpdateProviderSetKeyPresent** TRUE if AllowAutoUpdateProviderSet registry key is set. +- **usoScanIsAuOptionsPresent** TRUE if Auto Update Options registry key is set. +- **usoScanIsFeatureUpdateInProgress** TRUE if a USO (Update Session Orchestrator) scan is in progress, to prevent multiple simultaneous scans. +- **usoScanIsNetworkMetered** TRUE if the device is currently connected to a metered network. +- **usoScanIsNoAutoUpdateKeyPresent** TRUE if no Auto Update registry key is set/present. +- **usoScanIsUserLoggedOn** TRUE if the user is logged on. +- **usoScanPastThreshold** TRUE if the most recent USO (Update Session Orchestrator) scan is past the threshold (late). +- **usoScanType** The type of USO (Update Session Orchestrator) scan: "Interactive" or "Background". +- **windows10UpgraderBlockWuUpdates** Event to report the value of Windows 10 Upgrader BlockWuUpdates Key. +- **windowsEditionId** Event to report the value of Windows Edition ID. +- **WindowsHyberFilSysSizeInMegabytes** The size of the Windows Hibernation file, measured in Megabytes. +- **WindowsInstallerFolderSizeInMegabytes** The size of the Windows Installer folder, measured in Megabytes. +- **WindowsOldFolderSizeInMegabytes** The size of the Windows.OLD folder, measured in Megabytes. +- **WindowsOldSpaceCleanedInMB** The amount of disk space freed by removing the Windows.OLD folder, measured in Megabytes. +- **WindowsPageFileSysSizeInMegabytes** The size of the Windows Page file, measured in Megabytes. +- **WindowsSoftwareDistributionFolderSizeInMegabytes** The size of the SoftwareDistribution folder, measured in Megabytes. +- **WindowsSwapFileSysSizeInMegabytes** The size of the Windows Swap file, measured in Megabytes. +- **WindowsSxsFolderSizeInMegabytes** The size of the WinSxS (Windows Side-by-Side) folder, measured in Megabytes. +- **WindowsSxsTempFolderSizeInMegabytes** The size of the WinSxS (Windows Side-by-Side) Temp folder, measured in Megabytes. +- **windowsUpgradeRecoveredFromRs4** Event to report the value of the Windows Upgrade Recovered key. + + +### Microsoft.Windows.Remediation.RemediationShellMainExeEventId + +Enables tracking of completion of process that remediates issues preventing security and quality updates. + +The following fields are available: + +- **CV** Client side counter which indicates ordering of events sent by the remediation system. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by the remediation system. +- **PackageVersion** Current package version of Remediation. +- **RemediationShellCanAcquireSedimentMutex** True if the remediation was able to acquire the sediment mutex. False if it is already running. +- **RemediationShellExecuteShellResult** Indicates if the remediation system completed without errors. +- **RemediationShellFoundDriverDll** Result whether the remediation system found its component files to run properly. +- **RemediationShellLoadedShellDriver** Result whether the remediation system loaded its component files to run properly. +- **RemediationShellLoadedShellFunction** Result whether the remediation system loaded the functions from its component files to run properly. + + +### Microsoft.Windows.Remediation.Started + +This event reports whether a plug-in started, to help ensure Windows is up to date. + +The following fields are available: + +- **CV** Correlation vector. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **PackageVersion** Current package version of Remediation. +- **PluginName** Name of the plugin specified for each generic plugin event. +- **Result** This is the HRESULT for detection or perform action phases of the plugin. + + +### Microsoft.Windows.SedimentLauncher.Applicable + +Indicates whether a given plugin is applicable. + +The following fields are available: + +- **CV** Correlation vector. +- **DetectedCondition** Boolean true if detect condition is true and perform action will be run. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **IsSelfUpdateEnabledInOneSettings** True if self update enabled in Settings. +- **IsSelfUpdateNeeded** True if self update needed by device. +- **PackageVersion** Current package version of Remediation. +- **PluginName** Name of the plugin specified for each generic plugin event. +- **Result** This is the HRESULT for detection or perform action phases of the plugin. + + +### Microsoft.Windows.SedimentLauncher.Completed + +Indicates whether a given plugin has completed its work. + +The following fields are available: + +- **CV** Correlation vector. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **PackageVersion** Current package version of Remediation. +- **PluginName** Name of the plugin specified for each generic plugin event. +- **Result** This is the HRESULT for detection or perform action phases of the plugin. +- **SedLauncherExecutionResult** HRESULT for one execution of the Sediment Launcher. + + +### Microsoft.Windows.SedimentLauncher.Started + +This event indicates that a given plug-in has started. + +The following fields are available: + +- **CV** Correlation vector. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **PackageVersion** Current package version of Remediation. +- **PluginName** Name of the plugin specified for each generic plugin event. +- **Result** This is the HRESULT for detection or perform action phases of the plugin. + + +### Microsoft.Windows.SedimentService.Applicable + +This event indicates whether a given plug-in is applicable. + +The following fields are available: + +- **CV** Correlation vector. +- **DetectedCondition** Determine whether action needs to run based on device properties. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **PackageVersion** Current package version of Remediation. +- **PluginName** Name of the plugin. +- **Result** This is the HRESULT for detection or perform action phases of the plugin. + + +### Microsoft.Windows.SedimentService.Completed + +This event indicates whether a given plug-in has completed its work. + +The following fields are available: + +- **CV** Correlation vector. +- **FailedReasons** List of reasons when the plugin action failed. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **PackageVersion** Current package version of Remediation. +- **PluginName** Name of the plugin specified for each generic plugin event. +- **Result** This is the HRESULT for detection or perform action phases of the plugin. +- **SedimentServiceCheckTaskFunctional** True/False if scheduled task check succeeded. +- **SedimentServiceCurrentBytes** Number of current private bytes of memory consumed by sedsvc.exe. +- **SedimentServiceKillService** True/False if service is marked for kill (Shell.KillService). +- **SedimentServiceMaximumBytes** Maximum bytes allowed for the service. +- **SedimentServiceRetrievedKillService** True/False if result of One Settings check for kill succeeded - we only send back one of these indicators (not for each call). +- **SedimentServiceStopping** True/False indicating whether the service is stopping. +- **SedimentServiceTaskFunctional** True/False if scheduled task is functional. If task is not functional this indicates plugins will be run. +- **SedimentServiceTotalIterations** Number of 5 second iterations service will wait before running again. + + +### Microsoft.Windows.SedimentService.Started + +This event indicates a specified plug-in has started. This information helps ensure Windows is up to date. + +The following fields are available: + +- **CV** The Correlation Vector. +- **GlobalEventCounter** The client-side counter that indicates ordering of events. +- **PackageVersion** The version number of the current remediation package. +- **PluginName** Name of the plugin specified for each generic plugin event. +- **Result** This is the HRESULT for Detection or Perform Action phases of the plugin. + + +### Microsoft.Xbox.XamTelemetry.AppActivationError + +This event indicates whether the system detected an activation error in the app. + + + +### Microsoft.Xbox.XamTelemetry.AppActivity + +This event is triggered whenever the current app state is changed by: launch, switch, terminate, snap, etc. + +The following fields are available: + +- **AppActionId** The ID of the application action. +- **AppCurrentVisibilityState** The ID of the current application visibility state. +- **AppId** The Xbox LIVE Title ID of the app. +- **AppPackageFullName** The full name of the application package. +- **AppPreviousVisibilityState** The ID of the previous application visibility state. +- **AppSessionId** The application session ID. +- **AppType** The type ID of the application (AppType_NotKnown, AppType_Era, AppType_Sra, AppType_Uwa). +- **BCACode** The BCA (Burst Cutting Area) mark code of the optical disc used to launch the application. +- **DurationMs** The amount of time (in milliseconds) since the last application state transition. +- **IsTrialLicense** This boolean value is TRUE if the application is on a trial license. +- **LicenseType** The type of licensed used to authorize the app (0 - Unknown, 1 - User, 2 - Subscription, 3 - Offline, 4 - Disc). +- **LicenseXuid** If the license type is 1 (User), this field contains the XUID (Xbox User ID) of the registered owner of the license. +- **ProductGuid** The Xbox product GUID (Globally-Unique ID) of the application. +- **UserId** The XUID (Xbox User ID) of the current user. + + ## Privacy consent logging events ### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted @@ -3465,8 +4208,272 @@ The following fields are available: - **userRegionCode** The current user's region setting +## Remediation events + +### Microsoft.Windows.Remediation.Applicable + +This event sends simple device connectivity and configuration data about an application installed on the system that helps keep the Windows Update stack healthy. + +The following fields are available: + +- **ActionName** The name of the action to be taken by the plug-in. +- **AppraiserBinariesValidResult** Indicates whether plug-in was appraised as valid. +- **AppraiserDetectCondition** Indicates whether the plug-in passed the appraiser's check. +- **AppraiserRegistryValidResult** Indicates whether the registry entry checks out as valid. +- **AppraiserTaskDisabled** Indicates the appraiser task is disabled. +- **AppraiserTaskValidFailed** Indicates the Appraiser task did not function and requires intervention. +- **CV** Correlation vector +- **DateTimeDifference** The difference between local and reference clock times. +- **DateTimeSyncEnabled** Indicates whether the datetime sync plug-in is enabled. +- **DaysSinceLastSIH** The number of days since the most recent SIH executed. +- **DaysToNextSIH** The number of days until the next scheduled SIH execution. +- **DetectedCondition** Indicates whether detect condition is true and the perform action will be run. +- **EvalAndReportAppraiserBinariesFailed** Indicates the EvalAndReportAppraiserBinaries event failed. +- **EvalAndReportAppraiserRegEntries** Indicates the EvalAndReportAppraiserRegEntriesFailed event failed. +- **EvalAndReportAppraiserRegEntriesFailed** Indicates the EvalAndReportAppraiserRegEntriesFailed event failed. +- **GlobalEventCounter** Client side counter that indicates ordering of events. +- **HResult** The HRESULT for detection or perform action phases of the plugin. +- **IsAppraiserLatestResult** The HRESULT from the appraiser task. +- **IsConfigurationCorrected** Indicates whether the configuration of SIH task was successfully corrected. +- **LastHresult** The HRESULT for detection or perform action phases of the plugin. +- **LastRun** The date of the most recent SIH run. +- **NextRun** Date of the next scheduled SIH run. +- **PackageVersion** The version of the current remediation package. +- **PluginName** Name of the plugin specified for each generic plugin event. +- **Reload** True if SIH reload is required. +- **RemediationNoisyHammerAcLineStatus** Event that indicates the AC Line Status of the machine. +- **RemediationNoisyHammerAutoStartCount** The number of times hammer auto-started. +- **RemediationNoisyHammerCalendarTaskEnabled** Event that indicates Update Assistant Calendar Task is enabled. +- **RemediationNoisyHammerCalendarTaskExists** Event that indicates an Update Assistant Calendar Task exists. +- **RemediationNoisyHammerCalendarTaskTriggerEnabledCount** Event that indicates calendar triggers are enabled in the task. +- **RemediationNoisyHammerDaysSinceLastTaskRunTime** The number of days since the most recent hammer task ran. +- **RemediationNoisyHammerGetCurrentSize** Size in MB of the $GetCurrent folder. +- **RemediationNoisyHammerIsInstalled** TRUE if the noisy hammer is installed. +- **RemediationNoisyHammerLastTaskRunResult** The result of the last hammer task run. +- **RemediationNoisyHammerMeteredNetwork** TRUE if the machine is on a metered network. +- **RemediationNoisyHammerTaskEnabled** Indicates whether the Update Assistant Task (Noisy Hammer) is enabled. +- **RemediationNoisyHammerTaskExists** Indicates whether the Update Assistant Task (Noisy Hammer) exists. +- **RemediationNoisyHammerTaskTriggerEnabledCount** Indicates whether counting is enabled for the Update Assistant (Noisy Hammer) task trigger. +- **RemediationNoisyHammerUAExitCode** The exit code of the Update Assistant (Noisy Hammer) task. +- **RemediationNoisyHammerUAExitState** The code for the exit state of the Update Assistant (Noisy Hammer) task. +- **RemediationNoisyHammerUserLoggedIn** TRUE if there is a user logged in. +- **RemediationNoisyHammerUserLoggedInAdmin** TRUE if there is the user currently logged in is an Admin. +- **RemediationShellDeviceManaged** TRUE if the device is WSUS managed or Windows Updated disabled. +- **RemediationShellDeviceNewOS** TRUE if the device has a recently installed OS. +- **RemediationShellDeviceSccm** TRUE if the device is managed by SCCM (Microsoft System Center Configuration Manager). +- **RemediationShellDeviceZeroExhaust** TRUE if the device has opted out of Windows Updates completely. +- **RemediationTargetMachine** Indicates whether the device is a target of the specified fix. +- **RemediationTaskHealthAutochkProxy** True/False based on the health of the AutochkProxy task. +- **RemediationTaskHealthChkdskProactiveScan** True/False based on the health of the Check Disk task. +- **RemediationTaskHealthDiskCleanup_SilentCleanup** True/False based on the health of the Disk Cleanup task. +- **RemediationTaskHealthMaintenance_WinSAT** True/False based on the health of the Health Maintenance task. +- **RemediationTaskHealthServicing_ComponentCleanupTask** True/False based on the health of the Health Servicing Component task. +- **RemediationTaskHealthUSO_ScheduleScanTask** True/False based on the health of the USO (Update Session Orchestrator) Schedule task. +- **RemediationTaskHealthWindowsUpdate_ScheduledStartTask** True/False based on the health of the Windows Update Scheduled Start task. +- **RemediationTaskHealthWindowsUpdate_SihbootTask** True/False based on the health of the Sihboot task. +- **RemediationUHServiceBitsServiceEnabled** Indicates whether BITS service is enabled. +- **RemediationUHServiceDeviceInstallEnabled** Indicates whether Device Install service is enabled. +- **RemediationUHServiceDoSvcServiceEnabled** Indicates whether DO service is enabled. +- **RemediationUHServiceDsmsvcEnabled** Indicates whether DSMSVC service is enabled. +- **RemediationUHServiceLicensemanagerEnabled** Indicates whether License Manager service is enabled. +- **RemediationUHServiceMpssvcEnabled** Indicates whether MPSSVC service is enabled. +- **RemediationUHServiceTokenBrokerEnabled** Indicates whether Token Broker service is enabled. +- **RemediationUHServiceTrustedInstallerServiceEnabled** Indicates whether Trusted Installer service is enabled. +- **RemediationUHServiceUsoServiceEnabled** Indicates whether USO (Update Session Orchestrator) service is enabled. +- **RemediationUHServicew32timeServiceEnabled** Indicates whether W32 Time service is enabled. +- **RemediationUHServiceWecsvcEnabled** Indicates whether WECSVC service is enabled. +- **RemediationUHServiceWinmgmtEnabled** Indicates whether WMI service is enabled. +- **RemediationUHServiceWpnServiceEnabled** Indicates whether WPN service is enabled. +- **RemediationUHServiceWuauservServiceEnabled** Indicates whether WUAUSERV service is enabled. +- **Result** This is the HRESULT for Detection or Perform Action phases of the plugin. +- **RunAppraiserFailed** Indicates RunAppraiser failed to run correctly. +- **RunTask** TRUE if SIH task should be run by the plug-in. +- **TimeServiceNTPServer** The URL for the NTP time server used by device. +- **TimeServiceStartType** The startup type for the NTP time service. +- **TimeServiceSyncDomainJoined** True if device domain joined and hence uses DC for clock. +- **TimeServiceSyncType** Type of sync behavior for Date & Time service on device. + + +### Microsoft.Windows.Remediation.Completed + +This event sends simple device connectivity and configuration data about an application installed on the system that helps keep the Windows Update stack healthy. + +The following fields are available: + +- **ActionName** Name of the action to be completed by the plug-in. +- **AppraiserTaskCreationFailed** TRUE if the appraiser task creation failed to complete successfully. +- **AppraiserTaskDeleteFailed** TRUE if deletion of appraiser task failed to complete successfully. +- **AppraiserTaskExistFailed** TRUE if detection of the appraiser task failed to complete successfully. +- **AppraiserTaskLoadXmlFailed** TRUE if the Appraiser XML Loader failed to complete successfully. +- **AppraiserTaskMissing** TRUE if the Appraiser task is missing. +- **AppraiserTaskTimeTriggerUpdateFailedId** TRUE if the Appraiser Task Time Trigger failed to update successfully. +- **AppraiserTaskValidateTaskXmlFailed** TRUE if the Appraiser Task XML failed to complete successfully. +- **branchReadinessLevel** Branch readiness level policy. +- **cloudControlState** Value indicating whether the shell is enabled on the cloud control settings. +- **CrossedDiskSpaceThreshold** Indicates if cleanup resulted in hard drive usage threshold required for feature update to be exceeded. +- **CV** The Correlation Vector. +- **DateTimeDifference** The difference between the local and reference clocks. +- **DaysSinceOsInstallation** The number of days since the installation of the Operating System. +- **DiskMbCleaned** The amount of space cleaned on the hard disk, measured in Megabytes. +- **DiskMbFreeAfterCleanup** The amount of free hard disk space after cleanup, measured in Megabytes. +- **DiskMbFreeBeforeCleanup** The amount of free hard disk space before cleanup, measured in Megabytes. +- **ForcedAppraiserTaskTriggered** TRUE if Appraiser task ran from the plug-in. +- **GlobalEventCounter** Client-side counter that indicates ordering of events. +- **HandlerCleanupFreeDiskInMegabytes** The amount of hard disk space cleaned by the storage sense handlers, measured in Megabytes. +- **hasRolledBack** Indicates whether the client machine has rolled back. +- **hasUninstalled** Indicates whether the client machine has uninstalled a later version of the OS. +- **hResult** The result of the event execution. +- **HResult** The result of the event execution. +- **installDate** The value of installDate registry key. Indicates the install date. +- **isNetworkMetered** Indicates whether the client machine has uninstalled a later version of the OS. +- **LatestState** The final state of the plug-in component. +- **MicrosoftCompatibilityAppraiser** The name of the component targeted by the Appraiser plug-in. +- **PackageVersion** The package version for the current Remediation. +- **PageFileCount** The number of Windows Page files. +- **PageFileCurrentSize** The size of the Windows Page file, measured in Megabytes. +- **PageFileLocation** The storage location (directory path) of the Windows Page file. +- **PageFilePeakSize** The maximum amount of hard disk space used by the Windows Page file, measured in Megabytes. +- **PluginName** The name of the plug-in specified for each generic plug-in event. +- **RanCleanup** TRUE if the plug-in ran disk cleanup. +- **RemediationBatteryPowerBatteryLevel** Indicates the battery level at which it is acceptable to continue operation. +- **RemediationBatteryPowerExitDueToLowBattery** True when we exit due to low battery power. +- **RemediationBatteryPowerOnBattery** True if we allow execution on battery. +- **RemediationConfigurationTroubleshooterExecuted** True/False based on whether the Remediation Configuration Troubleshooter executed successfully. +- **RemediationConfigurationTroubleshooterIpconfigFix** TRUE if IPConfig Fix completed successfully. +- **RemediationConfigurationTroubleshooterNetShFix** TRUE if network card cache reset ran successfully. +- **RemediationDiskCleanSizeBtWindowsFolderInMegabytes** The size of the Windows BT folder (used to store Windows upgrade files), measured in Megabytes. +- **RemediationDiskCleanupBTFolderEsdSizeInMB** The size of the Windows BT folder (used to store Windows upgrade files) ESD (Electronic Software Delivery), measured in Megabytes. +- **RemediationDiskCleanupGetCurrentEsdSizeInMB** The size of any existing ESD (Electronic Software Delivery) folder, measured in Megabytes. +- **RemediationDiskCleanupSearchFileSizeInMegabytes** The size of the Cleanup Search index file, measured in Megabytes. +- **RemediationDiskCleanupUpdateAssistantSizeInMB** The size of the Update Assistant folder, measured in Megabytes. +- **RemediationDoorstopChangeSucceeded** TRUE if Doorstop registry key was successfully modified. +- **RemediationDoorstopExists** TRUE if there is a One Settings Doorstop value. +- **RemediationDoorstopRegkeyError** TRUE if an error occurred accessing the Doorstop registry key. +- **RemediationDRFKeyDeleteSucceeded** TRUE if the RecoveredFrom (Doorstop) registry key was successfully deleted. +- **RemediationDUABuildNumber** The build number of the DUA. +- **RemediationDUAKeyDeleteSucceeded** TRUE if the UninstallActive registry key was successfully deleted. +- **RemediationDuplicateTokenSucceeded** TRUE if the user token was successfully duplicated. +- **remediationExecution** Remediation shell is in "applying remediation" state. +- **RemediationHibernationMigrated** TRUE if hibernation was migrated. +- **RemediationHibernationMigrationSucceeded** TRUE if hibernation migration succeeded. +- **RemediationImpersonateUserSucceeded** TRUE if the user was successfully impersonated. +- **RemediationNoisyHammerTaskKickOffIsSuccess** TRUE if the NoisyHammer task started successfully. +- **RemediationQueryTokenSucceeded** TRUE if the user token was successfully queried. +- **RemediationRanHibernation** TRUE if the system entered Hibernation. +- **RemediationRevertToSystemSucceeded** TRUE if reversion to the system context succeeded. +- **RemediationShellHasUpgraded** TRUE if the device upgraded. +- **RemediationShellMinimumTimeBetweenShellRuns** Indicates the time between shell runs exceeded the minimum required to execute plugins. +- **RemediationShellRunFromService** TRUE if the shell driver was run from the service. +- **RemediationShellSessionIdentifier** Unique identifier tracking a shell session. +- **RemediationShellSessionTimeInSeconds** Indicates the time the shell session took in seconds. +- **RemediationShellTaskDeleted** Indicates that the shell task has been deleted so no additional sediment pack runs occur for this installation. +- **RemediationUpdateServiceHealthRemediationResult** The result of the Update Service Health plug-in. +- **RemediationUpdateTaskHealthRemediationResult** The result of the Update Task Health plug-in. +- **RemediationUpdateTaskHealthTaskList** A list of tasks fixed by the Update Task Health plug-in. +- **RemediationWindowsLogSpaceFound** The size of the Windows log files found, measured in Megabytes. +- **RemediationWindowsLogSpaceFreed** The amount of disk space freed by deleting the Windows log files, measured in Megabytes. +- **RemediationWindowsSecondaryDriveFreeSpace** The amount of free space on the secondary drive, measured in Megabytes. +- **RemediationWindowsSecondaryDriveLetter** The letter designation of the first secondary drive with a total capacity of 10GB or more. +- **RemediationWindowsSecondaryDriveTotalSpace** The total storage capacity of the secondary drive, measured in Megabytes. +- **RemediationWindowsTotalSystemDiskSize** The total storage capacity of the System Disk Drive, measured in Megabytes. +- **Result** The HRESULT for Detection or Perform Action phases of the plug-in. +- **RunResult** The HRESULT for Detection or Perform Action phases of the plug-in. +- **ServiceHealthPlugin** The nae of the Service Health plug-in. +- **StartComponentCleanupTask** TRUE if the Component Cleanup task started successfully. +- **systemDriveFreeDiskSpace** Indicates the free disk space on system drive in MBs. +- **systemUptimeInHours** Indicates the amount of time the system in hours has been on since the last boot. +- **TotalSizeofOrphanedInstallerFilesInMegabytes** The size of any orphaned Windows Installer files, measured in Megabytes. +- **TotalSizeofStoreCacheAfterCleanupInMegabytes** The size of the Windows Store cache after cleanup, measured in Megabytes. +- **TotalSizeofStoreCacheBeforeCleanupInMegabytes** The size of the Windows Store cache (prior to cleanup), measured in Megabytes. +- **uninstallActive** TRUE if previous uninstall has occurred for current OS +- **usoScanDaysSinceLastScan** The number of days since the last USO (Update Session Orchestrator) scan. +- **usoScanInProgress** TRUE if a USO (Update Session Orchestrator) scan is in progress, to prevent multiple simultaneous scans. +- **usoScanIsAllowAutoUpdateKeyPresent** TRUE if the AllowAutoUpdate registry key is set. +- **usoScanIsAllowAutoUpdateProviderSetKeyPresent** TRUE if AllowAutoUpdateProviderSet registry key is set. +- **usoScanIsAuOptionsPresent** TRUE if Auto Update Options registry key is set. +- **usoScanIsFeatureUpdateInProgress** TRUE if a USO (Update Session Orchestrator) scan is in progress, to prevent multiple simultaneous scans. +- **usoScanIsNetworkMetered** TRUE if the device is currently connected to a metered network. +- **usoScanIsNoAutoUpdateKeyPresent** TRUE if no Auto Update registry key is set/present. +- **usoScanIsUserLoggedOn** TRUE if the user is logged on. +- **usoScanPastThreshold** TRUE if the most recent USO (Update Session Orchestrator) scan is past the threshold (late). +- **usoScanType** The type of USO (Update Session Orchestrator) scan (Interactive or Background). +- **windows10UpgraderBlockWuUpdates** Event to report the value of Windows 10 Upgrader BlockWuUpdates Key. +- **windowsEditionId** Event to report the value of Windows Edition ID. +- **WindowsHyberFilSysSizeInMegabytes** The size of the Windows Hibernation file, measured in Megabytes. +- **WindowsInstallerFolderSizeInMegabytes** The size of the Windows Installer folder, measured in Megabytes. +- **WindowsOldFolderSizeInMegabytes** The size of the Windows.OLD folder, measured in Megabytes. +- **WindowsOldSpaceCleanedInMB** The amount of disk space freed by removing the Windows.OLD folder, measured in Megabytes. +- **WindowsPageFileSysSizeInMegabytes** The size of the Windows Page file, measured in Megabytes. +- **WindowsSoftwareDistributionFolderSizeInMegabytes** The size of the SoftwareDistribution folder, measured in Megabytes. +- **WindowsSwapFileSysSizeInMegabytes** The size of the Windows Swap file, measured in Megabytes. +- **WindowsSxsFolderSizeInMegabytes** The size of the WinSxS (Windows Side-by-Side) folder, measured in Megabytes. +- **WindowsSxsTempFolderSizeInMegabytes** The size of the WinSxS (Windows Side-by-Side) Temp folder, measured in Megabytes. +- **windowsUpgradeRecoveredFromRs4** Event to report the value of the Windows Upgrade Recovered key. + + +### Microsoft.Windows.Remediation.Started + +This event sends simple device connectivity and configuration data about an application installed on the system that helps keep Windows up to date. + +The following fields are available: + +- **CV** Correlation vector. +- **GlobalEventCounter** Client side counter which indicates ordering of events within Remediation application. +- **PackageVersion** Current package version of Remediation application. +- **PluginName** Name of the plugin specified for each generic plugin event. +- **Result** This is the HRESULT for detection or perform action phases of the plugin. + + ## Sediment events +### Microsoft.Windows.Sediment.Info.DetailedState + +This event is sent when detailed state information is needed from an update trial run. + +The following fields are available: + +- **Data** Data relevant to the state, such as what percent of disk space the directory takes up. +- **Id** Identifies the trial being run, such as a disk related trial. +- **ReleaseVer** The version of the component. +- **State** The state of the reporting data from the trial, such as the top-level directory analysis. +- **Time** The time the event was fired. + + +### Microsoft.Windows.Sediment.Info.Error + +This event indicates an error in the updater payload. This information assists in keeping Windows up to date. + + + +### Microsoft.Windows.Sediment.OSRSS.CheckingOneSettings + +This event indicates the parameters that the Operating System Remediation System Service (OSRSS) uses for a secure ping to Microsoft to help ensure Windows is up to date. + +The following fields are available: + +- **CustomVer** The registry value for targeting. +- **IsMetered** TRUE if the machine is on a metered network. +- **LastVer** The version of the last successful run. +- **ServiceVersionMajor** The Major version information of the component. +- **ServiceVersionMinor** The Minor version information of the component. +- **Time** The system time at which the event occurred. + + +### Microsoft.Windows.Sediment.OSRSS.Error + +This event indicates an error occurred in the Operating System Remediation System Service (OSRSS). The information provided helps ensure future upgrade/update attempts are more successful. + +The following fields are available: + +- **FailureType** The type of error encountered. +- **FileName** The code file in which the error occurred. +- **HResult** The failure error code. +- **LineNumber** The line number in the code file at which the error occurred. +- **ServiceVersionMajor** The Major version information of the component. +- **ServiceVersionMinor** The Minor version information of the component. +- **Time** The system time at which the event occurred. + + ### Microsoft.Windows.Sediment.OSRSS.UrlState This event indicates the state the Operating System Remediation System Service (OSRSS) is in while attempting a download from the URL. @@ -3481,8 +4488,116 @@ The following fields are available: - **Time** System timestamp when the event was started. +## Sediment Service events + +### Microsoft.Windows.SedimentService.Applicable + +This event sends simple device connectivity and configuration data about a service installed on the system that helps keep Windows up to date. + +The following fields are available: + +- **CV** Correlation vector. +- **GlobalEventCounter** Client side counter which indicates ordering of events within Remediation application. +- **PackageVersion** Current package version of Remediation application. +- **PluginName** Name of the plugin specified for each generic plugin event. +- **Result** This is the HRESULT for detection or perform action phases of the plugin. + + +### Microsoft.Windows.SedimentService.Completed + +This event sends simple device connectivity and configuration data about a service installed on the system that helps keep Windows up to date. + +The following fields are available: + +- **CV** Correlation vector. +- **GlobalEventCounter** Client side counter which indicates ordering of events within Remediation application. +- **PackageVersion** Current package version of Remediation application. +- **PluginName** Name of the plugin specified for each generic plugin event. +- **Result** This is the HRESULT for detection or perform action phases of the plugin. + + +### Microsoft.Windows.SedimentService.Started + +This event sends simple device connectivity and configuration data about a service installed on the system that helps keep Windows up to date. + +The following fields are available: + +- **CV** Correlation vector. +- **GlobalEventCounter** Client side counter which indicates ordering of events within Remediation application. +- **PackageVersion** Current package version of Remediation application. +- **PluginName** Name of the plugin specified for each generic plugin event. +- **Result** This is the HRESULT for detection or perform action phases of the plugin. + + +## Sediment Launcher events + +### Microsoft.Windows.SedimentLauncher.Applicable + +This event sends simple device connectivity and configuration data about an application installed on the system that helps keep Windows up to date. + +The following fields are available: + +- **CV** Correlation vector. +- **GlobalEventCounter** Client side counter which indicates ordering of events within Remediation application. +- **PackageVersion** Current package version of Remediation application. +- **PluginName** Name of the plugin specified for each generic plugin event. +- **Result** This is the HRESULT for detection or perform action phases of the plugin. + + +### Microsoft.Windows.SedimentLauncher.Completed + +This event sends simple device connectivity and configuration data about an application installed on the system that helps keep Windows up to date. + +The following fields are available: + +- **CV** Correlation vector. +- **GlobalEventCounter** Client side counter which indicates ordering of events within Remediation application. +- **PackageVersion** Current package version of Remediation application. +- **PluginName** Name of the plugin specified for each generic plugin event. +- **Result** This is the HRESULT for detection or perform action phases of the plugin. + + +### Microsoft.Windows.SedimentLauncher.Started + +This event sends simple device connectivity and configuration data about an application installed on the system that helps keep Windows up to date. + +The following fields are available: + +- **CV** Correlation vector. +- **GlobalEventCounter** Client side counter which indicates ordering of events within Remediation application. +- **PackageVersion** Current package version of Remediation application. +- **PluginName** Name of the plugin specified for each generic plugin event. +- **Result** This is the HRESULT for detection or perform action phases of the plugin. + + ## Setup events +### SetupPlatformTel.SetupPlatformTelActivityEvent + +This event sends basic metadata about the SetupPlatform update installation process, to help keep Windows up to date. + +The following fields are available: + +- **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc. +- **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc. +- **Value** Value associated with the corresponding event name. For example, time-related events will include the system time + + +### SetupPlatformTel.SetupPlatformTelActivityStarted + +This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date. + +The following fields are available: + +- **Name** The name of the dynamic update type. Example: GDR driver + + +### SetupPlatformTel.SetupPlatformTelActivityStopped + +This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date. + + + ### SetupPlatformTel.SetupPlatformTelEvent This service retrieves events generated by SetupPlatform, the engine that drives the various deployment scenarios. @@ -3961,14 +5076,31 @@ The following fields are available: - **SignatureAlgorithm** Hash algorithm for the metadata signature - **SLSPrograms** A test program a machine may be opted in. Examples include "Canary" and "Insider Fast". - **StatusCode** Result code of the event (success, cancellation, failure code HResult) -- **TimestampTokenCertThumbprint** The thumbprint of the encoded timestamp token. +- **TimestampTokenCertThumbprint** Thumbprint of the encoded timestamp token. - **TimestampTokenId** Created time encoded in the timestamp blob. This will be zeroed if the token is itself malformed and decoding failed. - **UpdateId** Identifier associated with the specific piece of content -- **ValidityWindowInDays** The validity window that's in effect when verifying the timestamp. +- **ValidityWindowInDays** Validity window in effect when verifying the timestamp ## Update events +### Update360Telemetry.Revert + +This event sends data relating to the Revert phase of updating Windows. + +The following fields are available: + +- **ErrorCode** The error code returned for the Revert phase. +- **FlightId** Unique ID for the flight (test instance version). +- **ObjectId** The unique value for each Update Agent mode. +- **RebootRequired** Indicates reboot is required. +- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. +- **Result** The HResult of the event. +- **ScenarioId** The ID of the update scenario. +- **SessionId** The ID of the update attempt. +- **UpdateId** The ID of the update. + + ### Update360Telemetry.UpdateAgentCommit This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. @@ -4104,6 +5236,52 @@ The following fields are available: - **UpdateId** Unique ID for each update. +### Update360Telemetry.UpdateAgentMitigationResult + +This event sends data indicating the result of each update agent mitigation. + +The following fields are available: + +- **Applicable** Indicates whether the mitigation is applicable for the current update. +- **CommandCount** The number of command operations in the mitigation entry. +- **CustomCount** The number of custom operations in the mitigation entry. +- **FileCount** The number of file operations in the mitigation entry. +- **FlightId** Unique identifier for each flight. +- **Index** The mitigation index of this particular mitigation. +- **MitigationScenario** The update scenario in which the mitigation was executed. +- **Name** The friendly name of the mitigation. +- **ObjectId** Unique value for each Update Agent mode. +- **OperationIndex** The mitigation operation index (in the event of a failure). +- **OperationName** The friendly name of the mitigation operation (in the event of failure). +- **RegistryCount** The number of registry operations in the mitigation entry. +- **RelatedCV** The correlation vector value generated from the latest USO scan. +- **Result** The HResult of this operation. +- **ScenarioId** The update agent scenario ID. +- **SessionId** Unique value for each update attempt. +- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments). +- **UpdateId** Unique ID for each Update. + + +### Update360Telemetry.UpdateAgentMitigationSummary + +This event sends a summary of all the update agent mitigations available for an this update. + +The following fields are available: + +- **Applicable** The count of mitigations that were applicable to the system and scenario. +- **Failed** The count of mitigations that failed. +- **FlightId** Unique identifier for each flight. +- **MitigationScenario** The update scenario in which the mitigations were attempted. +- **ObjectId** The unique value for each Update Agent mode. +- **RelatedCV** The correlation vector value generated from the latest USO scan. +- **Result** The HResult of this operation. +- **ScenarioId** The update agent scenario ID. +- **SessionId** Unique value for each update attempt. +- **TimeDiff** The amount of time spent performing all mitigations (in 100-nanosecond increments). +- **Total** Total number of mitigations that were available. +- **UpdateId** Unique ID for each update. + + ### Update360Telemetry.UpdateAgentModeStart This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to both PCs and Mobile. @@ -4120,6 +5298,24 @@ The following fields are available: - **Version** Version of update +### Update360Telemetry.UpdateAgentOneSettings + +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. + +The following fields are available: + +- **Count** The count of applicable OneSettings for the device. +- **FlightId** Unique ID for the flight (test instance version). +- **ObjectId** The unique value for each Update Agent mode. +- **Parameters** The set of name value pair parameters sent to OneSettings to determine if there are any applicable OneSettings. +- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. +- **Result** The HResult of the event. +- **ScenarioId** The ID of the update scenario. +- **SessionId** The ID of the update attempt. +- **UpdateId** The ID of the update. +- **Values** The values sent back to the device, if applicable. + + ### Update360Telemetry.UpdateAgentPostRebootResult This event collects information for both Mobile and Desktop regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario. @@ -4136,6 +5332,12 @@ The following fields are available: - **UpdateId** Unique ID for each update. +### Update360Telemetry.UpdateAgentReboot + +This event sends information indicating that a request has been sent to suspend an update. + + + ### Update360Telemetry.UpdateAgentSetupBoxLaunch The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. This event is only applicable to PCs. @@ -4185,7 +5387,7 @@ The following fields are available: - **key19** UI interaction data - **key2** Interaction data for the UI - **key20** UI interaction data -- **key21** Interaction data for the UI +- **key21** UI interaction data - **key22** UI interaction data - **key23** UI interaction data - **key24** UI interaction data @@ -4197,10 +5399,10 @@ The following fields are available: - **key3** Interaction data for the UI - **key30** UI interaction data - **key4** Interaction data for the UI -- **key5** UI interaction data -- **key6** UI interaction data -- **key7** Interaction data for the UI -- **key8** Interaction data for the UI +- **key5** UI interaction type +- **key6** Current package version of UNP +- **key7** UI interaction type +- **key8** UI interaction data - **key9** UI interaction data - **PackageVersion** Current package version of the update notification. - **schema** UI interaction type. @@ -4314,6 +5516,7 @@ The following fields are available: - **DownloadRequestAttributes** The attributes we send to DCAT. - **ResultCode** The result returned from the initialization of Facilitator with the URL/attributes. - **Scenario** Dynamic Update scenario (Image DU, or Setup DU). +- **Url** The Delivery Catalog (DCAT) URL we send the request to. - **Version** Version of Facilitator. @@ -4376,9 +5579,9 @@ The following fields are available: - **Setup360Extended** Detailed information about the phase or action when the potential failure occurred. - **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. - **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. -- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. - **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). -- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled - **TestId** ID that uniquely identifies a group of events. - **WuId** Windows Update client ID. @@ -4524,6 +5727,67 @@ The following fields are available: - **TargetBuild** Build of the target OS. +### Setup360Telemetry.Setup360MitigationResult + +This event sends data indicating the result of each setup mitigation. + +The following fields are available: + +- **Applicable** TRUE if the mitigation is applicable for the current update. +- **ClientId** In the Windows Update scenario, this is the client ID passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **CommandCount** The number of command operations in the mitigation entry. +- **CustomCount** The number of custom operations in the mitigation entry. +- **FileCount** The number of file operations in the mitigation entry. +- **FlightData** The unique identifier for each flight (test release). +- **Index** The mitigation index of this particular mitigation. +- **InstanceId** The GUID (Globally Unique ID) that identifies each instance of SetupHost.EXE. +- **MitigationScenario** The update scenario in which the mitigation was executed. +- **Name** The friendly (descriptive) name of the mitigation. +- **OperationIndex** The mitigation operation index (in the event of a failure). +- **OperationName** The friendly (descriptive) name of the mitigation operation (in the event of failure). +- **RegistryCount** The number of registry operations in the mitigation entry. +- **ReportId** In the Windows Update scenario, the Update ID that is passed to Setup. In media setup, this is the GUID for the INSTALL.WIM. +- **Result** HResult of this operation. +- **ScenarioId** Setup360 flow type. +- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments). + + +### Setup360Telemetry.Setup360MitigationSummary + +This event sends a summary of all the setup mitigations available for this update. + +The following fields are available: + +- **Applicable** The count of mitigations that were applicable to the system and scenario. +- **ClientId** The Windows Update client ID passed to Setup. +- **Failed** The count of mitigations that failed. +- **FlightData** The unique identifier for each flight (test release). +- **InstanceId** The GUID (Globally Unique ID) that identifies each instance of SetupHost.EXE. +- **MitigationScenario** The update scenario in which the mitigations were attempted. +- **ReportId** In the Windows Update scenario, the Update ID that is passed to Setup. In media setup, this is the GUID for the INSTALL.WIM. +- **Result** HResult of this operation. +- **ScenarioId** Setup360 flow type. +- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments). +- **Total** The total number of mitigations that were available. + + +### Setup360Telemetry.Setup360OneSettings + +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. + +The following fields are available: + +- **ClientId** The Windows Update client ID passed to Setup. +- **Count** The count of applicable OneSettings for the device. +- **FlightData** The ID for the flight (test instance version). +- **InstanceId** The GUID (Globally-Unique ID) that identifies each instance of setuphost.exe. +- **Parameters** The set of name value pair parameters sent to OneSettings to determine if there are any applicable OneSettings. +- **ReportId** The Update ID passed to Setup. +- **Result** The HResult of the event error. +- **ScenarioId** The update scenario ID. +- **Values** Values sent back to the device, if applicable. + + ### Setup360Telemetry.UnexpectedEvent This event sends data indicating that the device has invoked the unexpected event phase of the upgrade, to help keep Windows up to date. @@ -4570,6 +5834,26 @@ The following fields are available: - **versionString** Version of the WaaSMedic engine. +## Windows Error Reporting events + +### Microsoft.Windows.WERVertical.OSCrash + +This event sends binary data from the collected dump file wheneveer a bug check occurs, to help keep Windows up to date. The is the OneCore version of this event. + +The following fields are available: + +- **BootId** Uint32 identifying the boot number for this device. +- **BugCheckCode** Uint64 "bugcheck code" that identifies a proximate cause of the bug check. +- **BugCheckParameter1** Uint64 parameter providing additional information. +- **BugCheckParameter2** Uint64 parameter providing additional information. +- **BugCheckParameter3** Uint64 parameter providing additional information. +- **BugCheckParameter4** Uint64 parameter providing additional information. +- **DumpFileAttributes** Codes that identify the type of data contained in the dump file +- **DumpFileSize** Size of the dump file +- **IsValidDumpFile** True if the dump file is valid for the debugger, false otherwise +- **ReportId** WER Report Id associated with this bug check (used for finding the corresponding report archive in Watson). + + ## Windows Error Reporting MTT events ### Microsoft.Windows.WER.MTT.Denominator @@ -4982,7 +6266,7 @@ The following fields are available: - **current** Result of currency check. - **dismOperationSucceeded** Dism uninstall operation status. -- **hResult** Failure error code. +- **hResult** Failure Error code. - **oSVersion** Build number of the device. - **paused** Indicates whether the device is paused. - **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status. @@ -5023,7 +6307,7 @@ The following fields are available: - **current** Result of currency check. - **dismOperationSucceeded** Dism uninstall operation status. -- **hResult** Failure error code. +- **hResult** Failure Error code. - **oSVersion** Build number of the device. - **paused** Indicates whether the device is paused. - **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status. @@ -5058,45 +6342,128 @@ This event sends basic telemetry on the success of the rollback of the Quality/L ## Windows Update Delivery Optimization events -### Microsoft.OSG.DU.DeliveryOptClient.DownloadStarted +### Microsoft.OSG.DU.DeliveryOptClient.DownloadCanceled -This event sends data describing the start of a new download to enable Delivery Optimization. It's used to understand and address problems regarding downloads. +This event describes when a download was canceled with Delivery Optimization. It's used to understand and address problems regarding downloads. The following fields are available: -- **background** Indicates whether the download is happening in the background. -- **bytesRequested** Number of bytes requested for the download. +- **background** Is the download being done in the background? +- **bytesFromCacheServer** Bytes received from a cache host. +- **bytesFromCDN** The number of bytes received from a CDN source. +- **bytesFromGroupPeers** The number of bytes received from a peer in the same group. +- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same group. +- **bytesFromLocalCache** Bytes copied over from local (on disk) cache. +- **bytesFromPeers** The number of bytes received from a peer in the same LAN. - **callerName** Name of the API caller. -- **cdnUrl** The URL of the source CDN -- **costFlags** A set of flags representing network cost. -- **deviceProfile** Identifies the usage or form factor (such as Desktop, Xbox, or VM). -- **diceRoll** Random number used for determining if a client will use peering. -- **doClientVersion** The version of the Delivery Optimization client. -- **doErrorCode** The Delivery Optimization error code that was returned. -- **downloadMode** The download mode used for this file download session (CdnOnly = 0, Lan = 1, Group = 2, Internet = 3, Simple = 99, Bypass = 100). -- **downloadModeSrc** Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9). +- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event. +- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered. +- **dataSourcesTotal** Bytes received per source type, accumulated for the whole session. - **errorCode** The error code that was returned. -- **experimentId** ID used to correlate client/services calls that are part of the same test during A/B testing. +- **experimentId** When running a test, this is used to correlate events that are part of the same test. - **fileID** The ID of the file being downloaded. -- **filePath** The path to where the downloaded file will be written. -- **fileSize** Total file size of the file that was downloaded. -- **fileSizeCaller** Value for total file size provided by our caller. -- **groupID** ID for the group. -- **isEncrypted** Indicates whether the download is encrypted. -- **isVpn** Indicates whether the device is connected to a Virtual Private Network. -- **jobID** The ID of the Windows Update job. -- **minDiskSizeGB** The minimum disk size (in GB) policy set for the device to allow peering with delivery optimization. -- **minDiskSizePolicyEnforced** Indicates whether there is an enforced minimum disk size requirement for peering. -- **minFileSizePolicy** The minimum content file size policy to allow the download using peering with delivery optimization. -- **peerID** The ID for this delivery optimization client. -- **predefinedCallerName** Name of the API caller. +- **gCurMemoryStreamBytes** Current usage for memory streaming. +- **gMaxMemoryStreamBytes** Maximum usage for memory streaming. +- **isVpn** Indicates whether the device is connected to a VPN (Virtual Private Network). +- **jobID** Identifier for the Windows Update job. +- **predefinedCallerName** The name of the API Caller. +- **reasonCode** Reason the action or event occurred. - **scenarioID** The ID of the scenario. -- **sessionID** The ID for the file download session. -- **setConfigs** A JSON representation of the configurations that have been set, and their sources. +- **sessionID** The ID of the file download session. - **updateID** The ID of the update being downloaded. -- **usedMemoryStream** Indicates whether the download used memory streaming. +- **usedMemoryStream** TRUE if the download is using memory streaming for App downloads. +### Microsoft.OSG.DU.DeliveryOptClient.DownloadCompleted + +This event describes when a download has completed with Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **background** Is the download a background download? +- **bytesFromCacheServer** Bytes received from a cache host. +- **bytesFromCDN** The number of bytes received from a CDN source. +- **bytesFromGroupPeers** The number of bytes received from a peer in the same domain group. +- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same domain group. +- **bytesFromLocalCache** Bytes copied over from local (on disk) cache. +- **bytesFromPeers** The number of bytes received from a peer in the same LAN. +- **bytesRequested** The total number of bytes requested for download. +- **cacheServerConnectionCount** Number of connections made to cache hosts. +- **callerName** Name of the API caller. +- **cdnConnectionCount** The total number of connections made to the CDN. +- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event. +- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered. +- **cdnIp** The IP address of the source CDN. +- **dataSourcesTotal** Bytes received per source type, accumulated for the whole session. +- **doErrorCode** The Delivery Optimization error code that was returned. +- **downlinkBps** The maximum measured available download bandwidth (in bytes per second). +- **downlinkUsageBps** The download speed (in bytes per second). +- **downloadMode** The download mode used for this file download session. +- **downloadModeSrc** Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9). +- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **fileID** The ID of the file being downloaded. +- **fileSize** The size of the file being downloaded. +- **gCurMemoryStreamBytes** Current usage for memory streaming. +- **gMaxMemoryStreamBytes** Maximum usage for memory streaming. +- **groupConnectionCount** The total number of connections made to peers in the same group. +- **internetConnectionCount** The total number of connections made to peers not in the same LAN or the same group. +- **isEncrypted** TRUE if the file is encrypted and will be decrypted after download. +- **isVpn** Is the device connected to a Virtual Private Network? +- **jobID** Identifier for the Windows Update job. +- **lanConnectionCount** The total number of connections made to peers in the same LAN. +- **numPeers** The total number of peers used for this download. +- **predefinedCallerName** The name of the API Caller. +- **restrictedUpload** Is the upload restricted? +- **scenarioID** The ID of the scenario. +- **sessionID** The ID of the download session. +- **totalTimeMs** Duration of the download (in seconds). +- **updateID** The ID of the update being downloaded. +- **uplinkBps** The maximum measured available upload bandwidth (in bytes per second). +- **uplinkUsageBps** The upload speed (in bytes per second). +- **usedMemoryStream** TRUE if the download is using memory streaming for App downloads. + + +### Microsoft.OSG.DU.DeliveryOptClient.DownloadPaused + +This event represents a temporary suspension of a download with Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **background** Is the download a background download? +- **callerName** The name of the API caller. +- **errorCode** The error code that was returned. +- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **fileID** The ID of the file being paused. +- **isVpn** Is the device connected to a Virtual Private Network? +- **jobID** Identifier for the Windows Update job. +- **predefinedCallerName** The name of the API Caller object. +- **reasonCode** The reason for pausing the download. +- **scenarioID** The ID of the scenario. +- **sessionID** The ID of the download session. +- **updateID** The ID of the update being paused. + +### Microsoft.OSG.DU.DeliveryOptClient.FailureCdnCommunication + +This event represents a failure to download from a CDN with Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **cdnHeaders** The HTTP headers returned by the CDN. +- **cdnIp** The IP address of the CDN. +- **cdnUrl** The URL of the CDN. +- **clientTelId** A random number used for device sampling. +- **errorCode** The error code that was returned. +- **errorCount** The total number of times this error code was seen since the last FailureCdnCommunication event was encountered. +- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **fileID** The ID of the file being downloaded. +- **httpStatusCode** The HTTP status code returned by the CDN. +- **isHeadRequest** The type of HTTP request that was sent to the CDN. Example: HEAD or GET +- **peerType** The type of peer (LAN, Group, Internet, CDN, Cache Host, etc.). +- **requestOffset** The byte offset within the file in the sent request. +- **requestSize** The size of the range requested from the CDN. +- **responseSize** The size of the range response received from the CDN. +- **sessionID** The ID of the download session. + ## Windows Update events ### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentAnalysisSummary @@ -5443,7 +6810,7 @@ The following fields are available: - **displayNeededReason** List of reasons for needing display. - **eventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.). -- **filteredDeferReason** Applicable filtered reasons why reboot was postponed (such as user active, or low battery). +- **filteredDeferReason** Applicable filtered reasons why reboot was postponed (such as user active, or low battery).. - **gameModeReason** Name of the executable that caused the game mode state check to start. - **ignoredReason** List of reasons that were intentionally ignored. - **raisedDeferReason** Indicates all potential reasons for postponing restart (such as user active, or low battery). @@ -5462,9 +6829,9 @@ The following fields are available: - **deferReason** Reason why the device could not check for updates. - **detectionBlockingPolicy** State of update action. -- **detectionBlockreason** Reason for blocking detection +- **detectionBlockreason** If we retry to scan - **detectionRetryMode** Indicates whether we will try to scan again. -- **errorCode** Error info +- **errorCode** State of update action - **eventScenario** End-to-end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed. - **flightID** The specific ID of the Windows Insider build the device is getting. - **interactive** Indicates whether the session was user initiated. @@ -5472,7 +6839,7 @@ The following fields are available: - **revisionNumber** Update revision number. - **scanTriggerSource** Source of the triggered scan. - **updateId** Update ID. -- **updateScenarioType** Source of the triggered scan +- **updateScenarioType** Update Session type - **wuDeviceid** Device ID @@ -5557,7 +6924,7 @@ This event is sent during update scan, download, or install, and indicates that The following fields are available: -- **configVersion** Escalation config version on device . +- **configVersion** Escalation config version on device. - **downloadElapsedTime** Indicates how long since the download is required on device. - **downloadRiskLevel** At-risk level of download phase. - **installElapsedTime** Indicates how long since the install is required on device. @@ -5585,7 +6952,7 @@ This event indicates that the update is no longer applicable to this device. The following fields are available: -- **EventPublishedTime** Time when this event was generated +- **EventPublishedTime** Time when this event was generated. - **flightID** The specific ID of the Windows Insider build. - **revisionNumber** Update revision number. - **updateId** Unique Windows Update ID. @@ -5633,7 +7000,7 @@ The following fields are available: - **deferReason** Reason for install not completing. - **errorCode** The error code reppresented by a hexadecimal value. - **eventScenario** End-to-end update session ID. -- **flightID** The specific ID of the Windows Insider build the device is getting. +- **flightID** Unique update ID - **flightUpdate** Indicates whether the update is a Windows Insider build. - **ForcedRebootReminderSet** A boolean value that indicates if a forced reboot will happen for updates. - **installCommitfailedtime** The time it took for a reboot to happen but the upgrade failed to progress. @@ -5648,6 +7015,31 @@ The following fields are available: - **wuDeviceid** Unique device ID used by Windows Update. +### Microsoft.Windows.Update.Orchestrator.LowUptimes + +This event is sent if a device is identified as not having sufficient uptime to reliably process updates in order to keep secure. + +The following fields are available: + +- **isLowUptimeMachine** Is the machine considered low uptime or not. +- **lowUptimeMinHours** Current setting for the minimum number of hours needed to not be considered low uptime. +- **lowUptimeQueryDays** Current setting for the number of recent days to check for uptime. +- **uptimeMinutes** Number of minutes of uptime measured. +- **wuDeviceid** Unique device ID for Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.OneshotUpdateDetection + +This event returns data about scans initiated through settings UI, or background scans that are urgent; to help keep Windows up to date. + +The following fields are available: + +- **externalOneshotupdate** The last time a task-triggered scan was completed. +- **interactiveOneshotupdate** The last time an interactive scan was completed. +- **oldlastscanOneshotupdate** The last time a scan completed successfully. +- **wuDeviceid** The Windows Update Device GUID (Globally-Unique ID). + + ### Microsoft.Windows.Update.Orchestrator.PostInstall This event is sent after a Windows update install completes. @@ -5723,6 +7115,18 @@ The following fields are available: - **wuDeviceid** Unique device ID used by Windows Update. +### Microsoft.Windows.Update.Orchestrator.RefreshSettings + +This event sends basic data about the version of upgrade settings applied to the system to help keep Windows up to date. + +The following fields are available: + +- **errorCode** Hex code for the error message, to allow lookup of the specific error. +- **settingsDownloadTime** Timestamp of the last attempt to acquire settings. +- **settingsETag** Version identifier for the settings. +- **wuDeviceid** Unique device ID used by Windows Update. + + ### Microsoft.Windows.Update.Orchestrator.RestoreRebootTask This event sends data indicating that a reboot task is missing unexpectedly on a device and the task is restored because a reboot is still required, to help keep Windows up to date. @@ -5819,6 +7223,76 @@ The following fields are available: - **wuDeviceid** Unique device ID used by Windows Update. +### Microsoft.Windows.Update.Orchestrator.updateSettingsFlushFailed + +This event sends information about an update that encountered problems and was not able to complete. + +The following fields are available: + +- **errorCode** The error code encountered. +- **wuDeviceid** The ID of the device in which the error occurred. + + +### Microsoft.Windows.Update.Orchestrator.USODiagnostics + +This event sends data on whether the state of the update attempt, to help keep Windows up to date. + +The following fields are available: + +- **LastApplicableUpdateFoundTime** The time when the last applicable update was found. +- **LastDownloadDeferredReason** The last reason download was deferred. +- **LastDownloadDeferredTime** The time of the download deferral. +- **LastDownloadFailureError** The last download failure. +- **LastDownloadFailureTime** The time of the last download failure. +- **LastInstallCompletedTime** The time when the last successful install completed. +- **LastInstallDeferredReason** The reason the last install was deferred. +- **LastInstallDeferredTime** The time when the last install was deferred. +- **LastInstallFailureError** The error code associated with the last install failure. +- **LastInstallFailureTime** The time when the last install failed to complete. +- **LastRebootDeferredReason** The reason the last reboot was deferred. +- **LastRebootDeferredTime** The time when the last reboot was deferred. +- **LastRebootPendingTime** The time when the last reboot state was set to “Pending”. +- **LastScanDeferredReason** The reason the last scan was deferred. +- **LastScanDeferredTime** The time when the last scan was deferred. +- **LastScanFailureError** The error code for the last scan failure. +- **LastScanFailureTime** The time when the last scan failed. +- **LastUpdateCheckTime** The time of the last update check. +- **LastUpdateDownloadTime** The time when the last update was downloaded. +- **LastUpgradeInstallFailureError** The error code for the last upgrade install failure. +- **LastUpgradeInstallFailureTime** The time of the last upgrade install failure. +- **LowUpTimeDetectTime** The last time “low up-time” was detected. +- **NoLowUpTimeDetectTime** The last time no “low up-time” was detected. +- **RebootRequired** Indicates reboot is required. +- **UpgradeInProgressTime** The amount of time a feature update has been in progress. +- **WaaSFeatureAssessmentDays** The number of days Feature Update Assessment has been out of date. +- **WaaSFeatureAssessmentImpact** The impact of the Feature Update Assessment. +- **WaaSUpToDateAssessmentDays** The number of days Quality Update Assessment has been out of date. +- **WaaSUpToDateAssessmentImpact** The impact of Quality Update Assessment. +- **wuDeviceid** Unique ID for Device + + +### Microsoft.Windows.Update.Ux.MusNotification.EnhancedEngagedRebootUxState + +This event sends information about the configuration of Enhanced Direct-to-Engaged (eDTE), which includes values for the timing of how eDTE will progress through each phase of the reboot. + +The following fields are available: + +- **AcceptAutoModeLimit** The maximum number of days for a device to automatically enter Auto Reboot mode. +- **AutoToAutoFailedLimit** The maximum number of days for Auto Reboot mode to fail before a Reboot Failed dialog will be shown. +- **DeviceLocalTime** The date and time (based on the device date/time settings) the reboot mode changed. +- **EngagedModeLimit** The number of days to switch between DTE (Direct-to-Engaged) dialogs. +- **EnterAutoModeLimit** The maximum number of days a device can enter Auto Reboot mode. +- **ETag** The Entity Tag that represents the OneSettings version. +- **IsForcedEnabled** Identifies whether Forced Reboot mode is enabled for the device. +- **IsUltimateForcedEnabled** Identifies whether Ultimate Forced Reboot mode is enabled for the device. +- **OldestUpdateLocalTime** The date and time (based on the device date/time settings) this update’s reboot began pending. +- **RebootUxState** Identifies the reboot state: Engaged, Auto, Forced, UltimateForced. +- **RebootVersion** The version of the DTE (Direct-to-Engaged). +- **SkipToAutoModeLimit** The maximum number of days to switch to start while in Auto Reboot mode. +- **UpdateId** The ID of the update that is waiting for reboot to finish installation. +- **UpdateRevision** The revision of the update that is waiting for reboot to finish installation. + + ### Microsoft.Windows.Update.Ux.MusNotification.RebootNoLongerNeeded This event is sent when a security update has successfully completed. @@ -5872,6 +7346,25 @@ The following fields are available: - **TaskName** Name of the task +### Microsoft.Windows.Update.Ux.MusUpdateSettings.RebootScheduled + +This event sends basic information for scheduling a device restart to install security updates. It's used to help keep Windows up to date. + +The following fields are available: + +- **activeHoursApplicable** Is the restart respecting Active Hours? +- **IsEnhancedEngagedReboot** TRUE if the reboot path is Enhanced Engaged. Otherwise, FALSE. +- **rebootArgument** The arguments that are passed to the OS for the restarted. +- **rebootOutsideOfActiveHours** Was the restart scheduled outside of Active Hours? +- **rebootScheduledByUser** Was the restart scheduled by the user? If the value is false, the restart was scheduled by the device. +- **rebootState** The state of the restart. +- **revisionNumber** The revision number of the OS being updated. +- **scheduledRebootTime** Time of the scheduled reboot +- **scheduledRebootTimeInUTC** Time of the scheduled restart, in Coordinated Universal Time. +- **updateId** The Windows Update device GUID. +- **wuDeviceid** The Windows Update device GUID. + + ## Windows Update mitigation events ### Mitigation360Telemetry.MitigationCustom.CleanupSafeOsImages @@ -5880,21 +7373,21 @@ This event sends data specific to the CleanupSafeOsImages mitigation used for OS The following fields are available: -- **ClientId** Unique identifier for each flight. -- **FlightId** Unique GUID that identifies each instances of setuphost.exe. -- **InstanceId** The update scenario in which the mitigation was executed. -- **MitigationScenario** Number of mounted images. -- **MountedImageCount** Number of mounted images that were under %systemdrive%\$Windows.~BT. -- **MountedImageMatches** Number of mounted images under %systemdrive%\$Windows.~BT that could not be removed. -- **MountedImagesFailed** Number of mounted images under %systemdrive%\$Windows.~BT that were successfully removed. -- **MountedImagesRemoved** Number of mounted images that were not under %systemdrive%\$Windows.~BT. -- **MountedImagesSkipped** Correlation vector value generated from the latest USO scan. -- **RelatedCV** HResult of this operation. -- **Result** ID indicating the mitigation scenario. -- **ScenarioId** Indicates whether the scenario was supported. -- **ScenarioSupported** Unique value for each update attempt. -- **SessionId** Unique ID for each Update. -- **UpdateId** Unique ID for the Windows Update client. +- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightId** Unique identifier for each flight. +- **InstanceId** Unique GUID that identifies each instances of setuphost.exe. +- **MitigationScenario** The update scenario in which the mitigation was executed. +- **MountedImageCount** Number of mounted images. +- **MountedImageMatches** Number of mounted images that were under %systemdrive%\$Windows.~BT. +- **MountedImagesFailed** Number of mounted images under %systemdrive%\$Windows.~BT that could not be removed. +- **MountedImagesRemoved** Number of mounted images under %systemdrive%\$Windows.~BT that were successfully removed. +- **MountedImagesSkipped** Number of mounted images that were not under %systemdrive%\$Windows.~BT. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** HResult of this operation. +- **ScenarioId** ID indicating the mitigation scenario. +- **ScenarioSupported** Indicates whether the scenario was supported. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each Update. - **WuId** Unique ID for the Windows Update client. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index 0755ce1e09..f86fc65600 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -9,7 +9,7 @@ ms.pagetype: security localizationpriority: high author: brianlic-msft ms.author: brianlic -ms.date: 10/03/2018 +ms.date: 11/07/2018 --- @@ -20,7 +20,7 @@ ms.date: 10/03/2018 - Windows 10, version 1809 -The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store. When the level is set to Basic, it also includes the Security level information. +The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Windows Store. When the level is set to Basic, it also includes the Security level information. The Basic level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems. @@ -281,7 +281,7 @@ The following fields are available: - **DatasourceApplicationFile_TH1** The count of the number of this particular object type present on this device. - **DatasourceApplicationFile_TH2** The count of the number of this particular object type present on this device. - **DatasourceDevicePnp_RS1** The total DataSourceDevicePnp objects targeting Windows 10 version 1607 on this device. -- **DatasourceDevicePnp_RS2** The count of DatasourceApplicationFile objects present on this machine targeting the next release of Windows +- **DatasourceDevicePnp_RS2** The total DatasourceDevicePnp objects targeting Windows 10 version 1703 present on this device. - **DatasourceDevicePnp_RS3** The total DatasourceDevicePnp objects targeting the next release of Windows on this device. - **DatasourceDevicePnp_RS4** The count of the number of this particular object type present on this device. - **DatasourceDevicePnp_RS4Setup** The count of the number of this particular object type present on this device. @@ -295,7 +295,7 @@ The following fields are available: - **DatasourceDriverPackage_TH1** The count of the number of this particular object type present on this device. - **DatasourceDriverPackage_TH2** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoBlock_RS1** The total DataSourceMatchingInfoBlock objects targeting Windows 10 version 1607 on this device. -- **DataSourceMatchingInfoBlock_RS2** The count of DatasourceDevicePnp objects present on this machine targeting the next release of Windows +- **DataSourceMatchingInfoBlock_RS2** The total DataSourceMatchingInfoBlock objects targeting Windows 10 version 1703 present on this device. - **DataSourceMatchingInfoBlock_RS3** The total DataSourceMatchingInfoBlock objects targeting the next release of Windows on this device. - **DataSourceMatchingInfoBlock_RS4** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoBlock_RS4Setup** The count of the number of this particular object type present on this device. @@ -309,7 +309,7 @@ The following fields are available: - **DataSourceMatchingInfoPassive_TH1** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPassive_TH2** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPostUpgrade_RS1** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device. -- **DataSourceMatchingInfoPostUpgrade_RS2** The count of DatasourceDriverPackage objects present on this machine targeting the next release of Windows +- **DataSourceMatchingInfoPostUpgrade_RS2** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 present on this device. - **DataSourceMatchingInfoPostUpgrade_RS3** The total DataSourceMatchingInfoPostUpgrade objects targeting the next release of Windows on this device. - **DataSourceMatchingInfoPostUpgrade_RS4** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPostUpgrade_RS4Setup** The count of the number of this particular object type present on this device. @@ -330,7 +330,7 @@ The following fields are available: - **DecisionApplicationFile_TH1** The count of the number of this particular object type present on this device. - **DecisionApplicationFile_TH2** The count of the number of this particular object type present on this device. - **DecisionDevicePnp_RS1** The total DecisionDevicePnp objects targeting Windows 10 version 1607 on this device. -- **DecisionDevicePnp_RS2** The count of DataSourceMatchingInfoBlock objects present on this machine targeting the next release of Windows +- **DecisionDevicePnp_RS2** The total DecisionDevicePnp objects targeting Windows 10 version 1703 present on this device. - **DecisionDevicePnp_RS3** The total DecisionDevicePnp objects targeting the next release of Windows on this device. - **DecisionDevicePnp_RS4** The count of the number of this particular object type present on this device. - **DecisionDevicePnp_RS4Setup** The count of the number of this particular object type present on this device. @@ -344,7 +344,7 @@ The following fields are available: - **DecisionDriverPackage_TH1** The count of the number of this particular object type present on this device. - **DecisionDriverPackage_TH2** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoBlock_RS1** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1607 present on this device. -- **DecisionMatchingInfoBlock_RS2** The count of DataSourceMatchingInfoPassive objects present on this machine targeting the next release of Windows +- **DecisionMatchingInfoBlock_RS2** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1703 present on this device. - **DecisionMatchingInfoBlock_RS3** The total DecisionMatchingInfoBlock objects targeting the next release of Windows on this device. - **DecisionMatchingInfoBlock_RS4** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoBlock_RS4Setup** The count of the number of this particular object type present on this device. @@ -358,14 +358,14 @@ The following fields are available: - **DecisionMatchingInfoPassive_TH1** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPassive_TH2** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPostUpgrade_RS1** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device. -- **DecisionMatchingInfoPostUpgrade_RS2** The count of DataSourceMatchingInfoPostUpgrade objects present on this machine targeting the next release of Windows +- **DecisionMatchingInfoPostUpgrade_RS2** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 present on this device. - **DecisionMatchingInfoPostUpgrade_RS3** The total DecisionMatchingInfoPostUpgrade objects targeting the next release of Windows on this device. - **DecisionMatchingInfoPostUpgrade_RS4** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPostUpgrade_RS4Setup** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPostUpgrade_TH1** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPostUpgrade_TH2** The count of the number of this particular object type present on this device. - **DecisionMediaCenter_RS1** The total DecisionMediaCenter objects targeting Windows 10 version 1607 present on this device. -- **DecisionMediaCenter_RS2** The count of DatasourceSystemBios objects present on this machine targeting the next release of Windows +- **DecisionMediaCenter_RS2** The total DecisionMediaCenter objects targeting Windows 10 version 1703 present on this device. - **DecisionMediaCenter_RS3** The total DecisionMediaCenter objects targeting the next release of Windows on this device. - **DecisionMediaCenter_RS4** The count of the number of this particular object type present on this device. - **DecisionMediaCenter_RS4Setup** The count of the number of this particular object type present on this device. @@ -395,7 +395,7 @@ The following fields are available: - **SystemWindowsActivationStatus** The count of the number of this particular object type present on this device. - **SystemWlan** The count of the number of this particular object type present on this device. - **Wmdrm_RS1** An ID for the system, calculated by hashing hardware identifiers. -- **Wmdrm_RS2** The count of InventoryLanguagePack objects present on this machine. +- **Wmdrm_RS2** The total Wmdrm objects targeting Windows 10 version 1703 present on this device. - **Wmdrm_RS3** The total Wmdrm objects targeting the next release of Windows on this device. - **Wmdrm_RS4** The total Wmdrm objects targeting Windows 10, version 1803 present on this device. - **Wmdrm_RS4Setup** The count of the number of this particular object type present on this device. @@ -1818,14 +1818,18 @@ The following fields are available: - **AdvertisingId** Current state of the advertising ID setting. - **AppDiagnostics** Current state of the app diagnostics setting. - **Appointments** Current state of the calendar setting. +- **AppointmentsSystem** Current state of the calendar setting. - **Bluetooth** Current state of the Bluetooth capability setting. - **BluetoothSync** Current state of the Bluetooth sync capability setting. - **BroadFileSystemAccess** Current state of the broad file system access setting. - **CellularData** Current state of the cellular data capability setting. - **Chat** Current state of the chat setting. +- **ChatSystem** Current state of the chat setting. - **Contacts** Current state of the contacts setting. +- **ContactsSystem** Current state of the Contacts setting. - **DocumentsLibrary** Current state of the documents library setting. - **Email** Current state of the email setting. +- **EmailSystem** Current state of the email setting. - **FindMyDevice** Current state of the "find my device" setting. - **GazeInput** Current state of the gaze input setting. - **HumanInterfaceDevice** Current state of the human interface device setting. @@ -1837,6 +1841,7 @@ The following fields are available: - **Microphone** Current state of the microphone setting. - **PhoneCall** Current state of the phone call setting. - **PhoneCallHistory** Current state of the call history setting. +- **PhoneCallHistorySystem** Current state of the call history setting. - **PicturesLibrary** Current state of the pictures library setting. - **Radios** Current state of the radios setting. - **SensorsCustom** Current state of the custom sensor setting. @@ -1846,6 +1851,7 @@ The following fields are available: - **USB** Current state of the USB setting. - **UserAccountInformation** Current state of the account information setting. - **UserDataTasks** Current state of the tasks setting. +- **UserDataTasksSystem** Current state of the tasks setting. - **UserNotificationListener** Current state of the notifications setting. - **VideosLibrary** Current state of the videos library setting. - **Webcam** Current state of the camera setting. @@ -1979,14 +1985,18 @@ The following fields are available: - **AdvertisingId** Current state of the advertising ID setting. - **AppDiagnostics** Current state of the app diagnostics setting. - **Appointments** Current state of the calendar setting. +- **AppointmentsSystem** Current state of the calendar setting. - **Bluetooth** Current state of the Bluetooth capability setting. - **BluetoothSync** Current state of the Bluetooth sync capability setting. - **BroadFileSystemAccess** Current state of the broad file system access setting. - **CellularData** Current state of the cellular data capability setting. - **Chat** Current state of the chat setting. +- **ChatSystem** Current state of the chat setting. - **Contacts** Current state of the contacts setting. +- **ContactsSystem** Current state of the contacts setting. - **DocumentsLibrary** Current state of the documents library setting. - **Email** Current state of the email setting. +- **EmailSystem** Current state of the email setting. - **GazeInput** Current state of the gaze input setting. - **HumanInterfaceDevice** Current state of the human interface device setting. - **InkTypeImprovement** Current state of the improve inking and typing setting. @@ -1998,6 +2008,7 @@ The following fields are available: - **Microphone** Current state of the microphone setting. - **PhoneCall** Current state of the phone call setting. - **PhoneCallHistory** Current state of the call history setting. +- **PhoneCallHistorySystem** Current state of the call history setting. - **PicturesLibrary** Current state of the pictures library setting. - **Radios** Current state of the radios setting. - **SensorsCustom** Current state of the custom sensor setting. @@ -2007,6 +2018,7 @@ The following fields are available: - **USB** Current state of the USB setting. - **UserAccountInformation** Current state of the account information setting. - **UserDataTasks** Current state of the tasks setting. +- **UserDataTasksSystem** Current state of the tasks setting. - **UserNotificationListener** Current state of the notifications setting. - **VideosLibrary** Current state of the videos library setting. - **Webcam** Current state of the camera setting. @@ -2256,6 +2268,59 @@ The following fields are available: ## Component-based servicing events +### CbsServicingProvider.CbsCapabilityEnumeration + +This event reports on the results of scanning for optional Windows content on Windows Update. + +The following fields are available: + +- **architecture** Indicates the scan was limited to the specified architecture. +- **capabilityCount** The number of optional content packages found during the scan. +- **clientId** The name of the application requesting the optional content. +- **duration** The amount of time it took to complete the scan. +- **hrStatus** The HReturn code of the scan. +- **language** Indicates the scan was limited to the specified language. +- **majorVersion** Indicates the scan was limited to the specified major version. +- **minorVersion** Indicates the scan was limited to the specified minor version. +- **namespace** Indicates the scan was limited to packages in the specified namespace. +- **sourceFilter** A bitmask indicating the scan checked for locally available optional content. +- **stackBuild** The build number of the servicing stack. +- **stackMajorVersion** The major version number of the servicing stack. +- **stackMinorVersion** The minor version number of the servicing stack. +- **stackRevision** The revision number of the servicing stack. + + +### CbsServicingProvider.CbsCapabilitySessionFinalize + +This event provides information about the results of installing or uninstalling optional Windows content from Windows Update. + +The following fields are available: + +- **capabilities** The names of the optional content packages that were installed. +- **clientId** The name of the application requesting the optional content. +- **currentID** The ID of the current install session. +- **highestState** The highest final install state of the optional content. +- **hrLCUReservicingStatus** Indicates whether the optional content was updated to the latest available version. +- **hrStatus** The HReturn code of the install operation. +- **rebootCount** The number of reboots required to complete the install. +- **retryID** The session ID that will be used to retry a failed operation. +- **retryStatus** Indicates whether the install will be retried in the event of failure. +- **stackBuild** The build number of the servicing stack. +- **stackMajorVersion** The major version number of the servicing stack. +- **stackMinorVersion** The minor version number of the servicing stack. +- **stackRevision** The revision number of the servicing stack. + + +### CbsServicingProvider.CbsCapabilitySessionPended + +This event provides information about the results of installing optional Windows content that requires a reboot to keep Windows up to date. + +The following fields are available: + +- **clientId** The name of the application requesting the optional content. +- **pendingDecision** Indicates the cause of reboot, if applicable. + + ### CbsServicingProvider.CbsLateAcquisition This event sends data to indicate if some Operating System packages could not be updated as part of an upgrade, to help keep Windows up to date. @@ -2266,6 +2331,28 @@ The following fields are available: - **RetryID** The ID identifying the retry attempt to update the listed packages. +### CbsServicingProvider.CbsPackageRemoval + +This event provides information about the results of uninstalling a Windows Cumulative Security Update to help keep Windows up to date. + +The following fields are available: + +- **buildVersion** The build number of the security update being uninstalled. +- **clientId** The name of the application requesting the uninstall. +- **currentStateEnd** The final state of the update after the operation. +- **failureDetails** Information about the cause of a failure, if applicable. +- **failureSourceEnd** The stage during the uninstall where the failure occurred. +- **hrStatusEnd** The overall exit code of the operation. +- **initiatedOffline** Indicates if the uninstall was initiated for a mounted Windows image. +- **majorVersion** The major version number of the security update being uninstalled. +- **minorVersion** The minor version number of the security update being uninstalled. +- **originalState** The starting state of the update before the operation. +- **pendingDecision** Indicates the cause of reboot, if applicable. +- **primitiveExecutionContext** The state during system startup when the uninstall was completed. +- **revisionVersion** The revision number of the security update being uninstalled. +- **transactionCanceled** Indicates whether the uninstall was cancelled. + + ## Deployment extensions ### DeploymentTelemetry.Deployment_End @@ -3009,6 +3096,87 @@ The following fields are available: - **CV** Correlation vector. +## DxgKernelTelemetry events + +### DxgKrnlTelemetry.GPUAdapterInventoryV2 + +This event sends basic GPU and display driver information to keep Windows and display drivers up-to-date. + +The following fields are available: + +- **AdapterTypeValue** The numeric value indicating the type of Graphics adapter. +- **aiSeqId** The event sequence ID. +- **bootId** The system boot ID. +- **BrightnessVersionViaDDI** The version of the Display Brightness Interface. +- **ComputePreemptionLevel** The maximum preemption level supported by GPU for compute payload. +- **DedicatedSystemMemoryB** The amount of system memory dedicated for GPU use (in bytes). +- **DedicatedVideoMemoryB** The amount of dedicated VRAM of the GPU (in bytes). +- **DisplayAdapterLuid** The display adapter LUID. +- **DriverDate** The date of the display driver. +- **DriverRank** The rank of the display driver. +- **DriverVersion** The display driver version. +- **DX10UMDFilePath** The file path to the location of the DirectX 10 Display User Mode Driver in the Driver Store. +- **DX11UMDFilePath** The file path to the location of the DirectX 11 Display User Mode Driver in the Driver Store. +- **DX12UMDFilePath** The file path to the location of the DirectX 12 Display User Mode Driver in the Driver Store. +- **DX9UMDFilePath** The file path to the location of the DirectX 9 Display User Mode Driver in the Driver Store. +- **GPUDeviceID** The GPU device ID. +- **GPUPreemptionLevel** The maximum preemption level supported by GPU for graphics payload. +- **GPURevisionID** The GPU revision ID. +- **GPUVendorID** The GPU vendor ID. +- **InterfaceId** The GPU interface ID. +- **IsDisplayDevice** Does the GPU have displaying capabilities? +- **IsHybridDiscrete** Does the GPU have discrete GPU capabilities in a hybrid device? +- **IsHybridIntegrated** Does the GPU have integrated GPU capabilities in a hybrid device? +- **IsLDA** Is the GPU comprised of Linked Display Adapters? +- **IsMiracastSupported** Does the GPU support Miracast? +- **IsMismatchLDA** Is at least one device in the Linked Display Adapters chain from a different vendor? +- **IsMPOSupported** Does the GPU support Multi-Plane Overlays? +- **IsMsMiracastSupported** Are the GPU Miracast capabilities driven by a Microsoft solution? +- **IsPostAdapter** Is this GPU the POST GPU in the device? +- **IsRemovable** TRUE if the adapter supports being disabled or removed. +- **IsRenderDevice** Does the GPU have rendering capabilities? +- **IsSoftwareDevice** Is this a software implementation of the GPU? +- **KMDFilePath** The file path to the location of the Display Kernel Mode Driver in the Driver Store. +- **MeasureEnabled** Is the device listening to MICROSOFT_KEYWORD_MEASURES? +- **NumVidPnSources** The number of supported display output sources. +- **NumVidPnTargets** The number of supported display output targets. +- **SharedSystemMemoryB** The amount of system memory shared by GPU and CPU (in bytes). +- **SubSystemID** The subsystem ID. +- **SubVendorID** The GPU sub vendor ID. +- **TelemetryEnabled** Is the device listening to MICROSOFT_KEYWORD_TELEMETRY? +- **TelInvEvntTrigger** What triggered this event to be logged? Example: 0 (GPU enumeration) or 1 (DxgKrnlTelemetry provider toggling) +- **version** The event version. +- **WDDMVersion** The Windows Display Driver Model version. + + +## Hang Reporting events + +### Microsoft.Windows.HangReporting.AppHangEvent + +This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events. + +The following fields are available: + +- **AppName** The name of the app that has hung. +- **AppSessionGuid** GUID made up of process id used as a correlation vector for process instances in the telemetry backend. +- **AppVersion** The version of the app that has hung. +- **IsFatal** True/False based on whether the hung application caused the creation of a Fatal Hang Report. +- **PackageFullName** Store application identity. +- **PackageRelativeAppId** Store application identity. +- **ProcessArchitecture** Architecture of the hung process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64. +- **ProcessCreateTime** The time of creation of the process that has hung. +- **ProcessId** The ID of the process that has hung. +- **ReportId** A GUID used to identify the report. This can used to track the report across Watson. +- **TargetAppId** The kernel reported AppId of the application being reported. +- **TargetAppVer** The specific version of the application being reported. +- **TargetAsId** The sequence number for the hanging process. +- **TypeCode** Bitmap describing the hang type. +- **WaitingOnAppName** If this is a cross process hang waiting for an application, this has the name of the application. +- **WaitingOnAppVersion** If this is a cross process hang, this has the version of the application for which it is waiting. +- **WaitingOnPackageFullName** If this is a cross process hang waiting for a package, this has the full name of the package for which it is waiting. +- **WaitingOnPackageRelativeAppId** If this is a cross process hang waiting for a package, this has the relative application id of the package. + + ## Inventory events ### Microsoft.Windows.Inventory.Core.AmiTelCacheChecksum @@ -3104,8 +3272,8 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic The following fields are available: -- **InventoryVersion** The version of the inventory component -- **ProgramIds** The unique program identifier the driver is associated with +- **InventoryVersion** The version of the inventory component. +- **ProgramIds** The unique program identifier the driver is associated with. ### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverStartSync @@ -3308,9 +3476,10 @@ The following fields are available: - **DriverVerDate** Name of the .sys image file (or wudfrd.sys if using user mode driver framework). - **DriverVerVersion** The immediate parent directory name in the Directory field of InventoryDriverPackage. - **Enumerator** The date of the driver loaded for the device. +- **ExtendedInfs** The extended INF file names. - **HWID** The version of the driver loaded for the device. - **Inf** The bus that enumerated the device. -- **InstallState** The device installation state. One of these values: https://msdn.microsoft.com/library/windows/hardware/ff543130.aspx +- **InstallState** The device installation state. One of these values: https://msdn.microsoft.com/en-us/library/windows/hardware/ff543130.aspx - **InventoryVersion** List of hardware ids for the device. - **LowerClassFilters** Lower filter class drivers IDs installed for the device - **LowerFilters** Lower filter drivers IDs installed for the device @@ -3463,6 +3632,18 @@ The following fields are available: - **InventoryVersion** The version of the inventory file generating the events. +### Microsoft.Windows.Inventory.Core.StartUtcJsonTrace + +This event collects traces of all other Core events, not used in typical customer scenarios. This event signals the beginning of the event download, and that tracing should begin. + + + +### Microsoft.Windows.Inventory.Core.StopUtcJsonTrace + +This event collects traces of all other Core events, not used in typical customer scenarios. This event signals the end of the event download, and that tracing should end. + + + ### Microsoft.Windows.Inventory.General.AppHealthStaticAdd This event sends details collected for a specific application on the source device. @@ -3510,27 +3691,27 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic The following fields are available: -- **AddinCLSID** The CLSID for the Office add-in. -- **AddInId** Office add-in ID. -- **AddinType** Office add-in Type. -- **BinFileTimestamp** Timestamp of the Office add-in. -- **BinFileVersion** Version of the Office add-in. -- **Description** Office add-in description. -- **FileId** FileId of the Office add-in. -- **FileSize** File size of the Office add-in. -- **FriendlyName** Friendly name for office add-in. -- **FullPath** Unexpanded path to the office add-in. +- **AddinCLSID** The CLSID for the Office addin +- **AddInId** Office addin ID +- **AddinType** The type of the Office addin. +- **BinFileTimestamp** Timestamp of the Office addin +- **BinFileVersion** Version of the Office addin +- **Description** Office addin description +- **FileId** FileId of the Office addin +- **FileSize** File size of the Office addin +- **FriendlyName** Friendly name for office addin +- **FullPath** Unexpanded path to the office addin - **InventoryVersion** The version of the inventory binary generating the events. -- **LoadBehavior** Uint32 that describes the load behavior. -- **OfficeApplication** The office application for this add-in. -- **OfficeArchitecture** Architecture of the add-in. -- **OfficeVersion** The office version for this add-in. -- **OutlookCrashingAddin** Boolean that indicates if crashes have been found for this add-in. -- **ProductCompany** The name of the company associated with the Office add-in. -- **ProductName** The product name associated with the Office add-in. -- **ProductVersion** The version associated with the Office add-in. -- **ProgramId** The unique program identifier of the Office add-in. -- **Provider** Name of the provider for this add-in. +- **LoadBehavior** Uint32 that describes the load behavior +- **OfficeApplication** The office application for this addin +- **OfficeArchitecture** Architecture of the addin +- **OfficeVersion** The office version for this addin +- **OutlookCrashingAddin** Boolean that indicates if crashes have been found for this addin +- **ProductCompany** The name of the company associated with the Office addin +- **ProductName** The product name associated with the Office addin +- **ProductVersion** The version associated with the Office addin +- **ProgramId** The unique program identifier of the Office addin +- **Provider** Name of the provider for this addin ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInRemove @@ -3908,6 +4089,153 @@ The following fields are available: - **UserInputTime** The amount of time the loader application spent waiting for user input. +## OneDrive events + +### Microsoft.OneDrive.Sync.Updater.ComponentInstallState + +This event includes basic data about the installation state of dependent OneDrive components. + +The following fields are available: + +- **ComponentName** The name of the dependent component. +- **isInstalled** Is the dependent component installed? + + +### Microsoft.OneDrive.Sync.Updater.OverlayIconStatus + +This event indicates if the OneDrive overlay icon is working correctly. 0 = healthy; 1 = can be fixed; 2 = broken + +The following fields are available: + +- **32bit** The status of the OneDrive overlay icon on a 32-bit operating system. +- **64bit** The status of the OneDrive overlay icon on a 64-bit operating system. + + +### Microsoft.OneDrive.Sync.Updater.UpdateOverallResult + +This event sends information describing the result of the update. + +The following fields are available: + +- **hr** The HResult of the operation. +- **IsLoggingEnabled** Indicates whether logging is enabled for the updater. +- **UpdaterVersion** The version of the updater. + + +### Microsoft.OneDrive.Sync.Updater.UpdateXmlDownloadHResult + +This event determines the status when downloading the OneDrive update configuration file. + +The following fields are available: + +- **hr** The HResult of the operation. + + +### Microsoft.OneDrive.Sync.Updater.WebConnectionStatus + +This event determines the error code that was returned when verifying Internet connectivity. + +The following fields are available: + +- **winInetError** The HResult of the operation. + + +## Other events + +### Microsoft.Windows.Kits.WSK.WskImageCreate + +This event sends simple Product and Service usage data when a user is using the Windows System Kit to create new OS “images”. The data includes the version of the Windows System Kit and the state of the event and is used to help investigate “image” creation failures. + +The following fields are available: + +- **Phase** The image creation phase. Values are “Start” or “End”. +- **WskVersion** The version of the Windows System Kit being used. + + +### Microsoft.Windows.Kits.WSK.WskImageCustomization + +This event sends simple Product and Service usage data when a user is using the Windows System Kit to create/modify configuration files allowing the customization of a new OS image with Apps or Drivers. The data includes the version of the Windows System Kit, the state of the event, the customization type (drivers or apps) and the mode (new or updating) and is used to help investigate configuration file creation failures. + +The following fields are available: + +- **Mode** The mode of update to image configuration files. Values are “New” or “Update”. +- **Phase** The image creation phase. Values are “Start” or “End”. +- **Type** The type of update to image configuration files. Values are “Apps” or “Drivers”. +- **WskVersion** The version of the Windows System Kit being used. + + +### Microsoft.Windows.Kits.WSK.WskWorkspaceCreate + +This event sends simple Product and Service usage data when a user is using the Windows System Kit to create new workspace for generating OS “images”. The data includes the version of the Windows System Kit and the state of the event and is used to help investigate workspace creation failures. + +The following fields are available: + +- **Architecture** The OS architecture that the workspace will target. Values are one of: “AMD64”, “ARM64”, “x86”, or “ARM”. +- **OsEdition** The Operating System Edition that the workspace will target. +- **Phase** The image creation phase. Values are “Start” or “End”. +- **WskVersion** The version of the Windows System Kit being used. + + +### Microsoft.Windows.Mitigation.AccountTraceLoggingProvider.General + +This event provides information about application properties to indicate the successful execution. + +The following fields are available: + +- **AppMode** Indicates the mode the app is being currently run around privileges. +- **ExitCode** Indicates the exit code of the app. +- **Help** Indicates if the app needs to be launched in the help mode. +- **ParseError** Indicates if there was a parse error during the execution. +- **RightsAcquired** Indicates if the right privileges were acquired for successful execution. +- **RightsWereEnabled** Indicates if the right privileges were enabled for successful execution. +- **TestMode** Indicates whether the app is being run in test mode. + + +### Microsoft.Windows.Mitigation.AccountTraceLoggingProvider.GetCount + +This event provides information about the properties of user accounts in the Administrator group. + +The following fields are available: + +- **Internal** Indicates the internal property associated with the count group. +- **LastError** The error code (if applicable) for the cause of the failure to get the count of the user account. + + +### Microsoft.Xbox.XamTelemetry.AppActivationError + +This event indicates whether the system detected an activation error in the app. + +The following fields are available: + +- **ActivationUri** Activation URI (Uniform Resource Identifier) used in the attempt to activate the app. +- **AppId** The Xbox LIVE Title ID. +- **AppUserModelId** The AUMID (Application User Model ID) of the app to activate. +- **Result** The HResult error. +- **UserId** The Xbox LIVE User ID (XUID). + + +### Microsoft.Xbox.XamTelemetry.AppActivity + +This event is triggered whenever the current app state is changed by: launch, switch, terminate, snap, etc. + +The following fields are available: + +- **AppActionId** The ID of the application action. +- **AppCurrentVisibilityState** The ID of the current application visibility state. +- **AppId** The Xbox LIVE Title ID of the app. +- **AppPackageFullName** The full name of the application package. +- **AppPreviousVisibilityState** The ID of the previous application visibility state. +- **AppSessionId** The application session ID. +- **AppType** The type ID of the application (AppType_NotKnown, AppType_Era, AppType_Sra, AppType_Uwa). +- **BCACode** The BCA (Burst Cutting Area) mark code of the optical disc used to launch the application. +- **DurationMs** The amount of time (in milliseconds) since the last application state transition. +- **IsTrialLicense** This boolean value is TRUE if the application is on a trial license. +- **LicenseType** The type of licensed used to authorize the app (0 - Unknown, 1 - User, 2 - Subscription, 3 - Offline, 4 - Disc). +- **LicenseXuid** If the license type is 1 (User), this field contains the XUID (Xbox User ID) of the registered owner of the license. +- **ProductGuid** The Xbox product GUID (Globally-Unique ID) of the application. +- **UserId** The XUID (Xbox User ID) of the current user. + + ## Privacy consent logging events ### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted @@ -3936,6 +4264,43 @@ The following fields are available: - **userRegionCode** The current user's region setting +## Setup events + +### SetupPlatformTel.SetupPlatformTelActivityEvent + +This event sends basic metadata about the SetupPlatform update installation process, to help keep Windows up to date. + +The following fields are available: + +- **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc. +- **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc. +- **Value** Value associated with the corresponding event name. For example, time-related events will include the system time + + +### SetupPlatformTel.SetupPlatformTelActivityStarted + +This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date. + +The following fields are available: + +- **Name** The name of the dynamic update type. Example: GDR driver + + +### SetupPlatformTel.SetupPlatformTelActivityStopped + +This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date. + + + +### SetupPlatformTel.SetupPlatfOrmTelEvent + +This service retrieves events generated by SetupPlatform, the engine that drives the various deployment scenarios. + +The following fields are available: + +- **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc. + + ## Software update events ### SoftwareUpdateClientTelemetry.CheckForUpdates @@ -4010,7 +4375,7 @@ The following fields are available: - **ScanDurationInSeconds** The number of seconds a scan took - **ScanEnqueueTime** The number of seconds it took to initialize a scan - **ScanProps** This is a 32-bit integer containing Boolean properties for a given Windows Update scan. The following bits are used; all remaining bits are reserved and set to zero. Bit 0 (0x1): IsInteractive - is set to 1 if the scan is requested by a user, or 0 if the scan is requested by Automatic Updates. Bit 1 (0x2): IsSeeker - is set to 1 if the Windows Update client's Seeker functionality is enabled. Seeker functionality is enabled on certain interactive scans, and results in the scans returning certain updates that are in the initial stages of release (not yet released for full adoption via Automatic Updates). -- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.). +- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Windows Store, etc.). - **ServiceUrl** The environment URL a device is configured to scan with - **ShippingMobileOperator** The mobile operator that a device shipped on. - **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult). @@ -4092,7 +4457,7 @@ The following fields are available: - **RepeatFailCount** Indicates whether this specific piece of content has previously failed. - **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to download. - **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** An ID that represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.). +- **ServiceGuid** An ID that represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.). - **Setup360Phase** If the download is for an operating system upgrade, this datapoint indicates which phase of the upgrade is underway. - **ShippingMobileOperator** The mobile operator that a device shipped on. - **SizeCalcTime** Time taken (in seconds) to calculate the total download size of the payload. @@ -4169,7 +4534,7 @@ The following fields are available: - **RepeatFailCount** Indicates whether this specific piece of content has previously failed. - **RepeatFailFlag** Indicates whether this specific piece of content previously failed to install. - **RevisionNumber** The revision number of this specific piece of content. -- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.). +- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.). - **Setup360Phase** If the install is for an operating system upgrade, indicates which phase of the upgrade is underway. - **ShippingMobileOperator** The mobile operator that a device shipped on. - **StatusCode** Indicates the result of an installation event (success, cancellation, failure code HResult). @@ -4219,7 +4584,7 @@ The following fields are available: - **RelatedCV** The previous correlation vector that was used by the client before swapping with a new one. - **RepeatFailCount** Indicates whether this specific piece of content has previously failed. - **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc.). +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). - **StatusCode** Result code of the event (success, cancellation, failure code HResult). - **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. - **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. @@ -4240,7 +4605,7 @@ The following fields are available: - **CmdLineArgs** Command line arguments passed in by the caller. - **EventInstanceID** A globally unique identifier for the event instance. - **EventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.). -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc.). +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). - **StatusCode** Result code of the event (success, cancellation, failure code HResult). - **WUDeviceID** Unique device ID controlled by the software distribution client. @@ -4279,7 +4644,7 @@ The following fields are available: - **RelatedCV** The previous correlation vector that was used by the client before swapping with a new one. - **RepeatFailCount** Indicates whether this specific piece of content previously failed. - **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc.). +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). - **StatusCode** Result code of the event (success, cancellation, failure code HResult). - **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. - **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. @@ -4300,7 +4665,7 @@ The following fields are available: - **IntentPFNs** Intended application-set metadata for atomic update scenarios. - **NumberOfApplicableUpdates** The number of updates ultimately deemed applicable to the system after the detection process is complete. - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one. -- **ServiceGuid** An ID that represents which service the software distribution client is connecting to (Windows Update, Microsoft Store, etc.). +- **ServiceGuid** An ID that represents which service the software distribution client is connecting to (Windows Update, Windows Store, etc.). - **WUDeviceID** The unique device ID controlled by the software distribution client. @@ -4334,6 +4699,296 @@ The following fields are available: - **LinkSpeed** The adapter link speed. +## Update events + +### Update360Telemetry.Revert + +This event sends data relating to the Revert phase of updating Windows. + +The following fields are available: + +- **ErrorCode** The error code returned for the Revert phase. +- **FlightId** Unique ID for the flight (test instance version). +- **ObjectId** The unique value for each Update Agent mode. +- **RebootRequired** Indicates reboot is required. +- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. +- **Result** The HResult of the event. +- **RevertResult** The result code returned for the Revert operation. +- **ScenarioId** The ID of the update scenario. +- **SessionId** The ID of the update attempt. +- **UpdateId** The ID of the update. + + +### Update360Telemetry.UpdateAgentCommit + +This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. + +The following fields are available: + +- **ErrorCode** The error code returned for the current install phase. +- **FlightId** Unique ID for each flight. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** Outcome of the install phase of the update. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentDownloadRequest + +This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to PC and Mobile. + +The following fields are available: + +- **DeletedCorruptFiles** Boolean indicating whether corrupt payload was deleted. +- **DownloadRequests** Number of times a download was retried. +- **ErrorCode** The error code returned for the current download request phase. +- **ExtensionName** Indicates whether the payload is related to Operating System content or a plugin. +- **FlightId** Unique ID for each flight. +- **InternalFailureResult** Indicates a non-fatal error from a plugin. +- **ObjectId** Unique value for each Update Agent mode (same concept as InstanceId for Setup360). +- **PackageCategoriesSkipped** Indicates package categories that were skipped, if applicable. +- **PackageCountOptional** Number of optional packages requested. +- **PackageCountRequired** Number of required packages requested. +- **PackageCountTotal** Total number of packages needed. +- **PackageCountTotalCanonical** Total number of canonical packages. +- **PackageCountTotalDiff** Total number of diff packages. +- **PackageCountTotalExpress** Total number of express packages. +- **PackageExpressType** Type of express package. +- **PackageSizeCanonical** Size of canonical packages in bytes. +- **PackageSizeDiff** Size of diff packages in bytes. +- **PackageSizeExpress** Size of express packages in bytes. +- **RangeRequestState** Indicates the range request type used. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** Outcome of the download request phase of update. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each attempt (same value for initialize, download, install commit phases). +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentExpand + +This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. + +The following fields are available: + +- **ElapsedTickCount** Time taken for expand phase. +- **EndFreeSpace** Free space after expand phase. +- **EndSandboxSize** Sandbox size after expand phase. +- **ErrorCode** The error code returned for the current install phase. +- **FlightId** Unique ID for each flight. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **StartFreeSpace** Free space before expand phase. +- **StartSandboxSize** Sandbox size after expand phase. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentFellBackToCanonical + +This event collects information when express could not be used and we fall back to canonical during the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. + +The following fields are available: + +- **FlightId** Unique ID for each flight. +- **ObjectId** Unique value for each Update Agent mode. +- **PackageCount** Number of packages that feel back to canonical. +- **PackageList** PackageIds which fell back to canonical. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentInitialize + +This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario, which is applicable to both PCs and Mobile. + +The following fields are available: + +- **ErrorCode** The error code returned for the current install phase. +- **FlightId** Unique ID for each flight. +- **FlightMetadata** Contains the FlightId and the build being flighted. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** Outcome of the install phase of the update. +- **ScenarioId** Indicates the update scenario. +- **SessionData** String containing instructions to update agent for processing FODs and DUICs (Null for other scenarios). +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentInstall + +This event sends data for the install phase of updating Windows. + +The following fields are available: + +- **ErrorCode** The error code returned for the current install phase. +- **ExtensionName** Indicates whether the payload is related to Operating System content or a plugin. +- **FlightId** Unique value for each Update Agent mode (same concept as InstanceId for Setup360). +- **InternalFailureResult** Indicates a non-fatal error from a plugin. +- **ObjectId** Correlation vector value generated from the latest USO scan. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** The result for the current install phase. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentMerge + +The UpdateAgentMerge event sends data on the merge phase when updating Windows. + +The following fields are available: + +- **ErrorCode** The error code returned for the current merge phase. +- **FlightId** Unique ID for each flight. +- **MergeId** The unique ID to join two update sessions being merged. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Related correlation vector value. +- **Result** Outcome of the merge phase of the update. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentMitigationResult + +This event sends data indicating the result of each update agent mitigation. + +The following fields are available: + +- **Applicable** Indicates whether the mitigation is applicable for the current update. +- **CommandCount** The number of command operations in the mitigation entry. +- **CustomCount** The number of custom operations in the mitigation entry. +- **FileCount** The number of file operations in the mitigation entry. +- **FlightId** Unique identifier for each flight. +- **Index** The mitigation index of this particular mitigation. +- **MitigationScenario** The update scenario in which the mitigation was executed. +- **Name** The friendly name of the mitigation. +- **ObjectId** Unique value for each Update Agent mode. +- **OperationIndex** The mitigation operation index (in the event of a failure). +- **OperationName** The friendly name of the mitigation operation (in the event of failure). +- **RegistryCount** The number of registry operations in the mitigation entry. +- **RelatedCV** The correlation vector value generated from the latest USO scan. +- **Result** The HResult of this operation. +- **ScenarioId** The update agent scenario ID. +- **SessionId** Unique value for each update attempt. +- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments). +- **UpdateId** Unique ID for each Update. + + +### Update360Telemetry.UpdateAgentMitigationSummary + +This event sends a summary of all the update agent mitigations available for an this update. + +The following fields are available: + +- **Applicable** The count of mitigations that were applicable to the system and scenario. +- **Failed** The count of mitigations that failed. +- **FlightId** Unique identifier for each flight. +- **MitigationScenario** The update scenario in which the mitigations were attempted. +- **ObjectId** The unique value for each Update Agent mode. +- **RelatedCV** The correlation vector value generated from the latest USO scan. +- **Result** The HResult of this operation. +- **ScenarioId** The update agent scenario ID. +- **SessionId** Unique value for each update attempt. +- **TimeDiff** The amount of time spent performing all mitigations (in 100-nanosecond increments). +- **Total** Total number of mitigations that were available. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentModeStart + +This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to both PCs and Mobile. + +The following fields are available: + +- **FlightId** Unique ID for each flight. +- **Mode** Indicates the mode that has started. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. +- **Version** Version of update + + +### Update360Telemetry.UpdateAgentOneSettings + +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. + +The following fields are available: + +- **Count** The count of applicable OneSettings for the device. +- **FlightId** Unique ID for the flight (test instance version). +- **ObjectId** The unique value for each Update Agent mode. +- **Parameters** The set of name value pair parameters sent to OneSettings to determine if there are any applicable OneSettings. +- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. +- **Result** The HResult of the event. +- **ScenarioId** The ID of the update scenario. +- **SessionId** The ID of the update attempt. +- **UpdateId** The ID of the update. +- **Values** The values sent back to the device, if applicable. + + +### Update360Telemetry.UpdateAgentPostRebootResult + +This event collects information for both Mobile and Desktop regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario. + +The following fields are available: + +- **ErrorCode** The error code returned for the current post reboot phase. +- **FlightId** The specific ID of the Windows Insider build the device is getting. +- **ObjectId** Unique value for each Update Agent mode. +- **PostRebootResult** Indicates the Hresult. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentReboot + +This event sends information indicating that a request has been sent to suspend an update. + +The following fields are available: + +- **ErrorCode** The error code returned for the current reboot. +- **FlightId** Unique ID for the flight (test instance version). +- **ObjectId** The unique value for each Update Agent mode. +- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. +- **Result** The HResult of the event. +- **ScenarioId** The ID of the update scenario. +- **SessionId** The ID of the update attempt. +- **UpdateId** The ID of the update. + + +### Update360Telemetry.UpdateAgentSetupBoxLaunch + +The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. This event is only applicable to PCs. + +The following fields are available: + +- **ContainsExpressPackage** Indicates whether the download package is express. +- **FlightId** Unique ID for each flight. +- **FreeSpace** Free space on OS partition. +- **InstallCount** Number of install attempts using the same sandbox. +- **ObjectId** Unique value for each Update Agent mode. +- **Quiet** Indicates whether setup is running in quiet mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **SandboxSize** Size of the sandbox. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **SetupMode** Mode of setup to be launched. +- **UpdateId** Unique ID for each Update. +- **UserSession** Indicates whether install was invoked by user actions. + + ## Upgrade events ### FacilitatorTelemetry.DCATDownload @@ -4364,6 +5019,197 @@ The following fields are available: - **Version** Version of Facilitator. +### Setup360Telemetry.Downlevel + +This event sends data indicating that the device has started the downlevel phase of the upgrade, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **ClientId** If using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, the default value is Media360, but it can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the downlevel OS. +- **HostOsSkuName** The operating system edition which is running Setup360 instance (downlevel OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. +- **ReportId** In the Windows Update scenario, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **Setup360Extended** More detailed information about phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360 (for example, Predownload, Install, Finalize, Rollback). +- **Setup360Result** The result of Setup360 (HRESULT used to diagnose errors). +- **Setup360Scenario** The Setup360 flow type (for example, Boot, Media, Update, MCT). +- **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS). +- **State** Exit state of given Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** An ID that uniquely identifies a group of events. +- **WuId** This is the Windows Update Client ID. In the Windows Update scenario, this is the same as the clientId. + + +### Setup360Telemetry.Finalize + +This event sends data indicating that the device has started the phase of finalizing the upgrade, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe +- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **Setup360Extended** More detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** ID that uniquely identifies a group of events. +- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId. + + +### Setup360Telemetry.OsUninstall + +This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10. Specifically, it indicates the outcome of an OS uninstall. + +The following fields are available: + +- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. +- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase or action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled +- **TestId** ID that uniquely identifies a group of events. +- **WuId** Windows Update client ID. + + +### Setup360Telemetry.PostRebootInstall + +This event sends data indicating that the device has invoked the post reboot install phase of the upgrade, to help keep Windows up-to-date. + +The following fields are available: + +- **ClientId** With Windows Update, this is the Windows Update client ID that is passed to Setup. In Media setup, the default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. +- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback +- **Setup360Result** The result of Setup360. This is an HRESULT error code that's used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled +- **TestId** A string to uniquely identify a group of events. +- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as ClientId. + + +### Setup360Telemetry.PreDownloadQuiet + +This event sends data indicating that the device has invoked the predownload quiet phase of the upgrade, to help keep Windows up to date. + +The following fields are available: + +- **ClientId** Using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running Setup360 instance (previous operating system). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. +- **ReportId** Using Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled. +- **TestId** ID that uniquely identifies a group of events. +- **WuId** This is the Windows Update Client ID. Using Windows Update, this is the same as the clientId. + + +### Setup360Telemetry.PreDownloadUX + +This event sends data regarding OS Updates and Upgrades from Windows 7.X, Windows 8.X, Windows 10 and RS, to help keep Windows up-to-date and secure. Specifically, it indicates the outcome of the PredownloadUX portion of the update process. + +The following fields are available: + +- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **HostOSBuildNumber** The build number of the previous operating system. +- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous operating system). +- **InstanceId** Unique GUID that identifies each instance of setuphost.exe. +- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. +- **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS). +- **State** The exit state of the Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** ID that uniquely identifies a group of events. +- **WuId** Windows Update client ID. + + +### Setup360Telemetry.PreInstallQuiet + +This event sends data indicating that the device has invoked the preinstall quiet phase of the upgrade, to help keep Windows up-to-date. + +The following fields are available: + +- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe +- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors. +- **Setup360Scenario** Setup360 flow type (Boot, Media, Update, MCT). +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** A string to uniquely identify a group of events. +- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId. + + +### Setup360Telemetry.PreInstallUX + +This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10, to help keep Windows up-to-date. Specifically, it indicates the outcome of the PreinstallUX portion of the update process. + +The following fields are available: + +- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. +- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type, Example: Boot, Media, Update, MCT. +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** A string to uniquely identify a group of events. +- **WuId** Windows Update client ID. + + +### Setup360Telemetry.Setup360 + +This event sends data about OS deployment scenarios, to help keep Windows up-to-date. + +The following fields are available: + +- **ClientId** Retrieves the upgrade ID. In the Windows Update scenario, this will be the Windows Update client ID. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FieldName** Retrieves the data point. +- **FlightData** Specifies a unique identifier for each group of Windows Insider builds. +- **InstanceId** Retrieves a unique identifier for each instance of a setup session. +- **ReportId** Retrieves the report ID. +- **ScenarioId** Retrieves the deployment scenario. +- **Value** Retrieves the value associated with the corresponding FieldName. + + ### Setup360Telemetry.Setup360DynamicUpdate This event helps determine whether the device received supplemental content during an operating system upgrade, to help keep Windows up-to-date. @@ -4381,6 +5227,89 @@ The following fields are available: - **TargetBuild** Build of the target OS. +### Setup360Telemetry.Setup360MitigationResult + +This event sends data indicating the result of each setup mitigation. + +The following fields are available: + +- **Applicable** TRUE if the mitigation is applicable for the current update. +- **ClientId** In the Windows Update scenario, this is the client ID passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **CommandCount** The number of command operations in the mitigation entry. +- **CustomCount** The number of custom operations in the mitigation entry. +- **FileCount** The number of file operations in the mitigation entry. +- **FlightData** The unique identifier for each flight (test release). +- **Index** The mitigation index of this particular mitigation. +- **InstanceId** The GUID (Globally Unique ID) that identifies each instance of SetupHost.EXE. +- **MitigationScenario** The update scenario in which the mitigation was executed. +- **Name** The friendly (descriptive) name of the mitigation. +- **OperationIndex** The mitigation operation index (in the event of a failure). +- **OperationName** The friendly (descriptive) name of the mitigation operation (in the event of failure). +- **RegistryCount** The number of registry operations in the mitigation entry. +- **ReportId** In the Windows Update scenario, the Update ID that is passed to Setup. In media setup, this is the GUID for the INSTALL.WIM. +- **Result** HResult of this operation. +- **ScenarioId** Setup360 flow type. +- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments). + + +### Setup360Telemetry.Setup360MitigationSummary + +This event sends a summary of all the setup mitigations available for this update. + +The following fields are available: + +- **Applicable** The count of mitigations that were applicable to the system and scenario. +- **ClientId** The Windows Update client ID passed to Setup. +- **Failed** The count of mitigations that failed. +- **FlightData** The unique identifier for each flight (test release). +- **InstanceId** The GUID (Globally Unique ID) that identifies each instance of SetupHost.EXE. +- **MitigationScenario** The update scenario in which the mitigations were attempted. +- **ReportId** In the Windows Update scenario, the Update ID that is passed to Setup. In media setup, this is the GUID for the INSTALL.WIM. +- **Result** HResult of this operation. +- **ScenarioId** Setup360 flow type. +- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments). +- **Total** The total number of mitigations that were available. + + +### Setup360Telemetry.Setup360OneSettings + +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. + +The following fields are available: + +- **ClientId** The Windows Update client ID passed to Setup. +- **Count** The count of applicable OneSettings for the device. +- **FlightData** The ID for the flight (test instance version). +- **InstanceId** The GUID (Globally-Unique ID) that identifies each instance of setuphost.exe. +- **Parameters** The set of name value pair parameters sent to OneSettings to determine if there are any applicable OneSettings. +- **ReportId** The Update ID passed to Setup. +- **Result** The HResult of the event error. +- **ScenarioId** The update scenario ID. +- **Values** Values sent back to the device, if applicable. + + +### Setup360Telemetry.UnexpectedEvent + +This event sends data indicating that the device has invoked the unexpected event phase of the upgrade, to help keep Windows up to date. + +The following fields are available: + +- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe +- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** A string to uniquely identify a group of events. +- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId. + + ## Windows as a Service diagnostic events ### Microsoft.Windows.WaaSMedic.SummaryEvent @@ -4407,6 +5336,50 @@ The following fields are available: - **waasMedicRunMode** Indicates whether this was a background regular run of the medic or whether it was triggered by a user launching Windows Update Troubleshooter. +## Windows Error Reporting events + +### Microsoft.Windows.WERVertical.OSCrash + +This event sends binary data from the collected dump file wheneveer a bug check occurs, to help keep Windows up to date. The is the OneCore version of this event. + +The following fields are available: + +- **BootId** Uint32 identifying the boot number for this device. +- **BugCheckCode** Uint64 "bugcheck code" that identifies a proximate cause of the bug check. +- **BugCheckParameter1** Uint64 parameter providing additional information. +- **BugCheckParameter2** Uint64 parameter providing additional information. +- **BugCheckParameter3** Uint64 parameter providing additional information. +- **BugCheckParameter4** Uint64 parameter providing additional information. +- **DumpFileAttributes** Codes that identify the type of data contained in the dump file +- **DumpFileSize** Size of the dump file +- **IsValidDumpFile** True if the dump file is valid for the debugger, false otherwise +- **ReportId** WER Report Id associated with this bug check (used for finding the corresponding report archive in Watson). + + +## Windows Update Delivery Optimization events + +### Microsoft.OSG.DU.DeliveryOptClient.FailureCdnCommunication + +This event represents a failure to download from a CDN with Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **cdnHeaders** The HTTP headers returned by the CDN. +- **cdnIp** The IP address of the CDN. +- **cdnUrl** The URL of the CDN. +- **errorCode** The error code that was returned. +- **errorCount** The total number of times this error code was seen since the last FailureCdnCommunication event was encountered. +- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **fileID** The ID of the file being downloaded. +- **httpStatusCode** The HTTP status code returned by the CDN. +- **isHeadRequest** The type of HTTP request that was sent to the CDN. Example: HEAD or GET +- **peerType** The type of peer (LAN, Group, Internet, CDN, Cache Host, etc.). +- **requestOffset** The byte offset within the file in the sent request. +- **requestSize** The size of the range requested from the CDN. +- **responseSize** The size of the range response received from the CDN. +- **sessionID** The ID of the download session. + + ## Windows Update events ### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentAnalysisSummary @@ -4525,6 +5498,32 @@ The following fields are available: - **updateId** Unique identifier for each update. +### Microsoft.Windows.Update.NotificationUx.DialogNotificationToBeDisplayed + +This event indicates that a notification dialog box is about to be displayed to user. + +The following fields are available: + +- **AcceptAutoModeLimit** The maximum number of days for a device to automatically enter Auto Reboot mode. +- **AutoToAutoFailedLimit** The maximum number of days for Auto Reboot mode to fail before the RebootFailed dialog box is shown. +- **DaysSinceRebootRequired** Number of days since restart was required. +- **DeviceLocalTime** The local time on the device sending the event. +- **EngagedModeLimit** The number of days to switch between DTE dialog boxes. +- **EnterAutoModeLimit** The maximum number of days for a device to enter Auto Reboot mode. +- **ETag** OneSettings versioning value. +- **IsForcedEnabled** Indicates whether Forced Reboot mode is enabled for this device. +- **IsUltimateForcedEnabled** Indicates whether Ultimate Forced Reboot mode is enabled for this device. +- **NotificationUxState** Indicates which dialog box is shown. +- **NotificationUxStateString** Indicates which dialog box is shown. +- **RebootUxState** Indicates the state of the restart (Engaged, Auto, Forced, or UltimateForced). +- **RebootUxStateString** Indicates the state of the restart (Engaged, Auto, Forced, or UltimateForced). +- **RebootVersion** Version of DTE. +- **SkipToAutoModeLimit** The minimum length of time to pass in restart pending before a device can be put into auto mode. +- **UpdateId** The ID of the update that is pending restart to finish installation. +- **UpdateRevision** The revision of the update that is pending restart to finish installation. +- **UtcTime** The time the dialog box notification will be displayed, in Coordinated Universal Time. + + ### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootFirstReminderDialog This event indicates that the Enhanced Engaged restart "first reminder" dialog box was displayed.. @@ -4541,6 +5540,65 @@ The following fields are available: - **UtcTime** The time that the dialog box was displayed, in Coordinated Universal Time. +### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootRebootFailedDialog + +This event indicates that the Enhanced Engaged restart "restart failed" dialog box was displayed. + +The following fields are available: + +- **DeviceLocalTime** The local time of the device sending the event. +- **ETag** OneSettings versioning value. +- **ExitCode** Indicates how users exited the dialog box. +- **RebootVersion** Version of DTE. +- **UpdateId** The ID of the update that is pending restart to finish installation. +- **UpdateRevision** The revision of the update that is pending restart to finish installation. +- **UserResponseString** The option that the user chose in this dialog box. +- **UtcTime** The time that the dialog box was displayed, in Coordinated Universal Time. + + +### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootRebootImminentDialog + +This event indicates that the Enhanced Engaged restart "restart imminent" dialog box was displayed. + +The following fields are available: + +- **DeviceLocalTime** Time the dialog box was shown on the local device. +- **ETag** OneSettings versioning value. +- **ExitCode** Indicates how users exited the dialog box. +- **RebootVersion** Version of DTE. +- **UpdateId** The ID of the update that is pending restart to finish installation. +- **UpdateRevision** The revision of the update that is pending restart to finish installation. +- **UserResponseString** The option that user chose in this dialog box. +- **UtcTime** The time that dialog box was displayed, in Coordinated Universal Time. + + +### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootReminderDialog + +This event returns information relating to the Enhanced Engaged reboot reminder dialog that was displayed. + +The following fields are available: + +- **DeviceLocalTime** The time at which the reboot reminder dialog was shown (based on the local device time settings). +- **ETag** The OneSettings versioning value. +- **ExitCode** Indicates how users exited the reboot reminder dialog box. +- **RebootVersion** The version of the DTE (Direct-to-Engaged). +- **UpdateId** The ID of the update that is waiting for reboot to finish installation. +- **UpdateRevision** The revision of the update that is waiting for reboot to finish installation. +- **UserResponseString** The option chosen by the user on the reboot dialog box. +- **UtcTime** The time at which the reboot reminder dialog was shown (in UTC). + + +### Microsoft.Windows.Update.Orchestrator.ActivityRestrictedByActiveHoursPolicy + +This event indicates a policy is present that may restrict update activity to outside of active hours. + +The following fields are available: + +- **activeHoursEnd** The end of the active hours window. +- **activeHoursStart** The start of the active hours window. +- **wuDeviceid** Unique device ID used by Windows Update. + + ### Microsoft.Windows.Update.Orchestrator.BlockedByBatteryLevel This event indicates that Windows Update activity was blocked due to low battery level. @@ -4553,6 +5611,22 @@ The following fields are available: - **wuDeviceid** Device ID. +### Microsoft.Windows.Update.Orchestrator.DisplayNeeded + +This event indicates the reboot was postponed due to needing a display. + +The following fields are available: + +- **displayNeededReason** Reason the display is needed. +- **eventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. +- **rebootOutsideOfActiveHours** Indicates whether the reboot was to occur outside of active hours. +- **revisionNumber** Revision number of the update. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated. +- **wuDeviceid** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue + + ### Microsoft.Windows.Update.Orchestrator.DTUCompletedWhenWuFlightPendingCommit This event indicates that DTU completed installation of the electronic software delivery (ESD), when Windows Update was already in Pending Commit phase of the feature update. @@ -4592,6 +5666,162 @@ The following fields are available: - **wuDeviceid** The Windows Update device ID. +### Microsoft.Windows.Update.Orchestrator.FlightInapplicable + +This event indicates that the update is no longer applicable to this device. + +The following fields are available: + +- **EventPublishedTime** Time when this event was generated. +- **flightID** The specific ID of the Windows Insider build. +- **revisionNumber** Update revision number. +- **updateId** Unique Windows Update ID. +- **updateScenarioType** Update session type. +- **UpdateStatus** Last status of update. +- **UUPFallBackConfigured** Indicates whether UUP fallback is configured. +- **wuDeviceid** Unique Device ID. + + +### Microsoft.Windows.Update.Orchestrator.InitiatingReboot + +This event sends data about an Orchestrator requesting a reboot from power management to help keep Windows up to date. + +The following fields are available: + +- **EventPublishedTime** Time of the event. +- **flightID** Unique update ID +- **interactive** Indicates whether the reboot initiation stage of the update process was entered as a result of user action. +- **rebootOutsideOfActiveHours** Indicates whether the reboot was to occur outside of active hours. +- **revisionNumber** Revision number of the update. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.Install + +This event sends launch data for a Windows Update install to help keep Windows up to date. + +The following fields are available: + +- **batteryLevel** Current battery capacity in mWh or percentage left. +- **deferReason** Reason for install not completing. +- **errorCode** The error code reppresented by a hexadecimal value. +- **eventScenario** End-to-end update session ID. +- **flightID** Unique update ID +- **flightUpdate** Indicates whether the update is a Windows Insider build. +- **ForcedRebootReminderSet** A boolean value that indicates if a forced reboot will happen for updates. +- **IgnoreReasonsForRestart** The reason(s) a Postpone Restart command was ignored. +- **installCommitfailedtime** The time it took for a reboot to happen but the upgrade failed to progress. +- **installRebootinitiatetime** The time it took for a reboot to be attempted. +- **interactive** Identifies if session is user initiated. +- **minutesToCommit** The time it took to install updates. +- **rebootOutsideOfActiveHours** Indicates whether a reboot is scheduled outside of active hours. +- **revisionNumber** Update revision number. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.LowUptimes + +This event is sent if a device is identified as not having sufficient uptime to reliably process updates in order to keep secure. + +The following fields are available: + +- **availableHistoryMinutes** The number of minutes available from the local machine activity history. +- **isLowUptimeMachine** Is the machine considered low uptime or not. +- **lowUptimeMinHours** Current setting for the minimum number of hours needed to not be considered low uptime. +- **lowUptimeQueryDays** Current setting for the number of recent days to check for uptime. +- **uptimeMinutes** Number of minutes of uptime measured. +- **wuDeviceid** Unique device ID for Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.OneshotUpdateDetection + +This event returns data about scans initiated through settings UI, or background scans that are urgent; to help keep Windows up to date. + +The following fields are available: + +- **externalOneshotupdate** The last time a task-triggered scan was completed. +- **interactiveOneshotupdate** The last time an interactive scan was completed. +- **oldlastscanOneshotupdate** The last time a scan completed successfully. +- **wuDeviceid** The Windows Update Device GUID (Globally-Unique ID). + + +### Microsoft.Windows.Update.Orchestrator.PreShutdownStart + +This event is generated before the shutdown and commit operations. + +The following fields are available: + +- **wuDeviceid** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. + + +### Microsoft.Windows.Update.Orchestrator.RebootFailed + +This event sends information about whether an update required a reboot and reasons for failure, to help keep Windows up to date. + +The following fields are available: + +- **batteryLevel** Current battery capacity in mWh or percentage left. +- **deferReason** Reason for install not completing. +- **EventPublishedTime** The time that the reboot failure occurred. +- **flightID** Unique update ID. +- **rebootOutsideOfActiveHours** Indicates whether a reboot was scheduled outside of active hours. +- **RebootResults** Hex code indicating failure reason. Typically, we expect this to be a specific USO generated hex code. +- **revisionNumber** Update revision number. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.RefreshSettings + +This event sends basic data about the version of upgrade settings applied to the system to help keep Windows up to date. + +The following fields are available: + +- **errorCode** Hex code for the error message, to allow lookup of the specific error. +- **settingsDownloadTime** Timestamp of the last attempt to acquire settings. +- **settingsETag** Version identifier for the settings. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.RestoreRebootTask + +This event sends data indicating that a reboot task is missing unexpectedly on a device and the task is restored because a reboot is still required, to help keep Windows up to date. + +The following fields are available: + +- **RebootTaskMissedTimeUTC** The time when the reboot task was scheduled to run, but did not. +- **RebootTaskNextTimeUTC** The time when the reboot task was rescheduled for. +- **RebootTaskRestoredTime** Time at which this reboot task was restored. +- **wuDeviceid** Device ID for the device on which the reboot is restored. + + +### Microsoft.Windows.Update.Orchestrator.ScanTriggered + +This event indicates that Update Orchestrator has started a scan operation. + +The following fields are available: + +- **errorCode** The error code returned for the current scan operation. +- **eventScenario** Indicates the purpose of sending this event. +- **interactive** Indicates whether the scan is interactive. +- **isDTUEnabled** Indicates whether DTU (internal abbreviation for Direct Feature Update) channel is enabled on the client system. +- **isScanPastSla** Indicates whether the SLA has elapsed for scanning. +- **isScanPastTriggerSla** Indicates whether the SLA has elapsed for triggering a scan. +- **minutesOverScanSla** Indicates how many minutes the scan exceeded the scan SLA. +- **minutesOverScanTriggerSla** Indicates how many minutes the scan exceeded the scan trigger SLA. +- **scanTriggerSource** Indicates what caused the scan. +- **updateScenarioType** The update session type. +- **wuDeviceid** Unique device ID used by Windows Update. + + ### Microsoft.Windows.Update.Orchestrator.StickUpdate This event is sent when the update service orchestrator (USO) indicates the update cannot be superseded by a newer update. @@ -4602,6 +5832,22 @@ The following fields are available: - **wuDeviceid** Unique device ID controlled by the software distribution client. +### Microsoft.Windows.Update.Orchestrator.SystemNeeded + +This event sends data about why a device is unable to reboot, to help keep Windows up to date. + +The following fields are available: + +- **eventScenario** End-to-end update session ID. +- **rebootOutsideOfActiveHours** Indicates whether a reboot is scheduled outside of active hours. +- **revisionNumber** Update revision number. +- **systemNeededReason** List of apps or tasks that are preventing the system from restarting. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. +- **wuDeviceid** Unique device ID used by Windows Update. + + ### Microsoft.Windows.Update.Orchestrator.TerminatedByActiveHours This event indicates that update activity was stopped due to active hours starting. @@ -4636,6 +5882,111 @@ The following fields are available: - **wuDeviceid** Unique device ID controlled by the software distribution client. +### Microsoft.Windows.Update.Orchestrator.UpdatePolicyCacheRefresh + +This event sends data on whether Update Management Policies were enabled on a device, to help keep Windows up to date. + +The following fields are available: + +- **configuredPoliciescount** Number of policies on the device. +- **policiesNamevaluesource** Policy name and source of policy (group policy, MDM or flight). +- **policyCacherefreshtime** Time when policy cache was refreshed. +- **updateInstalluxsetting** Indicates whether a user has set policies via a user experience option. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.UpdateRebootRequired + +This event sends data about whether an update required a reboot to help keep Windows up to date. + +The following fields are available: + +- **flightID** The specific ID of the Windows Insider build the device is getting. +- **interactive** Indicates whether the reboot initiation stage of the update process was entered as a result of user action. +- **revisionNumber** Update revision number. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.updateSettingsFlushFailed + +This event sends information about an update that encountered problems and was not able to complete. + +The following fields are available: + +- **errorCode** The error code encountered. +- **wuDeviceid** The ID of the device in which the error occurred. + + +### Microsoft.Windows.Update.Orchestrator.UsoSession + +This event represents the state of the USO service at start and completion. + +The following fields are available: + +- **activeSessionid** A unique session GUID. +- **eventScenario** The state of the update action. +- **interactive** Is the USO session interactive? +- **lastErrorcode** The last error that was encountered. +- **lastErrorstate** The state of the update when the last error was encountered. +- **sessionType** A GUID that refers to the update session type. +- **updateScenarioType** A descriptive update session type. +- **wuDeviceid** The Windows Update device GUID. + + +### Microsoft.Windows.Update.Ux.MusNotification.EnhancedEngagedRebootUxState + +This event sends information about the configuration of Enhanced Direct-to-Engaged (eDTE), which includes values for the timing of how eDTE will progress through each phase of the reboot. + +The following fields are available: + +- **AcceptAutoModeLimit** The maximum number of days for a device to automatically enter Auto Reboot mode. +- **AutoToAutoFailedLimit** The maximum number of days for Auto Reboot mode to fail before a Reboot Failed dialog will be shown. +- **DeviceLocalTime** The date and time (based on the device date/time settings) the reboot mode changed. +- **EngagedModeLimit** The number of days to switch between DTE (Direct-to-Engaged) dialogs. +- **EnterAutoModeLimit** The maximum number of days a device can enter Auto Reboot mode. +- **ETag** The Entity Tag that represents the OneSettings version. +- **IsForcedEnabled** Identifies whether Forced Reboot mode is enabled for the device. +- **IsUltimateForcedEnabled** Identifies whether Ultimate Forced Reboot mode is enabled for the device. +- **OldestUpdateLocalTime** The date and time (based on the device date/time settings) this update’s reboot began pending. +- **RebootUxState** Identifies the reboot state: Engaged, Auto, Forced, UltimateForced. +- **RebootVersion** The version of the DTE (Direct-to-Engaged). +- **SkipToAutoModeLimit** The maximum number of days to switch to start while in Auto Reboot mode. +- **UpdateId** The ID of the update that is waiting for reboot to finish installation. +- **UpdateRevision** The revision of the update that is waiting for reboot to finish installation. + + +### Microsoft.Windows.Update.Ux.MusNotification.RebootNoLongerNeeded + +This event is sent when a security update has successfully completed. + +The following fields are available: + +- **UtcTime** The Coordinated Universal Time that the restart was no longer needed. + + +### Microsoft.Windows.Update.Ux.MusNotification.RebootScheduled + +This event sends basic information about scheduling an update-related reboot, to get security updates and to help keep Windows up-to-date. + +The following fields are available: + +- **activeHoursApplicable** Indicates whether Active Hours applies on this device. +- **IsEnhancedEngagedReboot** Indicates whether Enhanced reboot was enabled. +- **rebootArgument** Argument for the reboot task. It also represents specific reboot related action. +- **rebootOutsideOfActiveHours** True, if a reboot is scheduled outside of active hours. False, otherwise. +- **rebootScheduledByUser** True, if a reboot is scheduled by user. False, if a reboot is scheduled automatically. +- **rebootState** Current state of the reboot. +- **rebootUsingSmartScheduler** Indicates that the reboot is scheduled by SmartScheduler. +- **revisionNumber** Revision number of the OS. +- **scheduledRebootTime** Time scheduled for the reboot. +- **scheduledRebootTimeInUTC** Time scheduled for the reboot, in UTC. +- **updateId** Identifies which update is being scheduled. +- **wuDeviceid** Unique DeviceID + + ### Microsoft.Windows.Update.Ux.MusNotification.UxBrokerScheduledTask This event is sent when MUSE broker schedules a task. @@ -4646,4 +5997,73 @@ The following fields are available: - **TaskName** Name of the task. +### Microsoft.Windows.Update.Ux.MusUpdateSettings.RebootScheduled + +This event sends basic information for scheduling a device restart to install security updates. It's used to help keep Windows up to date. + +The following fields are available: + +- **activeHoursApplicable** Is the restart respecting Active Hours? +- **IsEnhancedEngagedReboot** TRUE if the reboot path is Enhanced Engaged. Otherwise, FALSE. +- **rebootArgument** The arguments that are passed to the OS for the restarted. +- **rebootOutsideOfActiveHours** Was the restart scheduled outside of Active Hours? +- **rebootScheduledByUser** Was the restart scheduled by the user? If the value is false, the restart was scheduled by the device. +- **rebootState** The state of the restart. +- **rebootUsingSmartScheduler** TRUE if the reboot should be performed by the Smart Scheduler. Otherwise, FALSE. +- **revisionNumber** The revision number of the OS being updated. +- **scheduledRebootTime** Time of the scheduled reboot +- **scheduledRebootTimeInUTC** Time of the scheduled restart, in Coordinated Universal Time. +- **updateId** The Windows Update device GUID. +- **wuDeviceid** The Windows Update device GUID. + + +## Windows Update mitigation events + +### Mitigation360Telemetry.MitigationCustom.CleanupSafeOsImages + +This event sends data specific to the CleanupSafeOsImages mitigation used for OS Updates. + +The following fields are available: + +- **ClientId** Unique identifier for each flight. +- **FlightId** Unique GUID that identifies each instances of setuphost.exe. +- **InstanceId** The update scenario in which the mitigation was executed. +- **MitigationScenario** Number of mounted images. +- **MountedImageCount** Number of mounted images that were under %systemdrive%\$Windows.~BT. +- **MountedImageMatches** Number of mounted images under %systemdrive%\$Windows.~BT that could not be removed. +- **MountedImagesFailed** Number of mounted images under %systemdrive%\$Windows.~BT that were successfully removed. +- **MountedImagesRemoved** Number of mounted images that were not under %systemdrive%\$Windows.~BT. +- **MountedImagesSkipped** Correlation vector value generated from the latest USO scan. +- **RelatedCV** HResult of this operation. +- **Result** ID indicating the mitigation scenario. +- **ScenarioId** Indicates whether the scenario was supported. +- **ScenarioSupported** Unique value for each update attempt. +- **SessionId** Unique ID for each Update. +- **UpdateId** Unique ID for the Windows Update client. +- **WuId** Unique ID for the Windows Update client. + + +### Mitigation360Telemetry.MitigationCustom.FixupEditionId + +This event sends data specific to the FixupEditionId mitigation used for OS updates. + +The following fields are available: + +- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **EditionIdUpdated** Determine whether EditionId was changed. +- **FlightId** Unique identifier for each flight. +- **InstanceId** Unique GUID that identifies each instances of setuphost.exe. +- **MitigationScenario** The update scenario in which the mitigation was executed. +- **ProductEditionId** Expected EditionId value based on GetProductInfo. +- **ProductType** Value returned by GetProductInfo. +- **RegistryEditionId** EditionId value in the registry. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** HResult of this operation. +- **ScenarioId** ID indicating the mitigation scenario. +- **ScenarioSupported** Indicates whether the scenario was supported. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. +- **WuId** Unique ID for the Windows Update client. + + diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md index 6436e38396..cd8898c653 100644 --- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md +++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md @@ -1,445 +1,451 @@ ---- -description: Use this article to make informed decisions about how you can configure diagnostic data in your organization. -title: Configure Windows diagnostic data in your organization (Windows 10) -keywords: privacy -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: high -author: brianlic-msft -ms.date: 04/04/2018 ---- - -# Configure Windows diagnostic data in your organization - -**Applies to** - -- Windows 10 Enterprise -- Windows 10 Mobile -- Windows Server - -At Microsoft, we use Windows diagnostic data to inform our decisions and focus our efforts in providing the most robust, most valuable platform for your business and the people who count on Windows to enable them to be as productive as possible. Diagnostic data gives users a voice in the operating system’s development. This guide describes the importance of Windows diagnostic data and how we protect that data. Additionally, it differentiates between diagnostic data and functional data. It also describes the diagnostic data levels that Windows supports. Of course, you can choose how much diagnostic data is shared with Microsoft, and this guide demonstrates how. - -To frame a discussion about diagnostic data, it is important to understand Microsoft’s privacy principles. We earn customer trust every day by focusing on six key privacy principles as described at [privacy.microsoft.com](https://privacy.microsoft.com/). These principles guided the implementation of the Windows diagnostic data system in the following ways: - -- **Control.** We offer customers control of the diagnostic data they share with us by providing easy-to-use management tools. -- **Transparency.** We provide information about the diagnostic data that Windows and Windows Server collects so our customers can make informed decisions. -- **Security.** We encrypt diagnostic data in transit from your device via TLS 1.2, and additionally use certificate pinning to secure the connection. -- **Strong legal protections.** We respect customers’ local privacy laws and fight for legal protection of their privacy as a fundamental human right. -- **No content-based targeting.** We take steps to avoid and minimize the collection of customer content, such as the content of files, chats, or emails, through the Windows diagnostic data system. Customer content inadvertently collected is kept confidential and not used for user targeting. -- **Benefits to you.** We collect Windows diagnostic data to help provide you with an up-to-date, more secure, reliable and performant product, and to improve Windows for all our customers. - -This article applies to Windows and Windows Server diagnostic data only. Other Microsoft or third-party apps, such as System Center Configuration Manager, System Center Endpoint Protection, or System Center Data Protection Manager, might send data to their cloud services in ways that are inconsistent with this guide. Their publishers are responsible for notifying users of their privacy policies, diagnostic data controls, and so on. This article describes the types of diagnostic data we may gather, the ways you might manage it in your organization, and some examples of how diagnostic data can provide you with valuable insights into your enterprise deployments. Microsoft uses the data to quickly identify and address issues affecting its customers. - -Use this article to make informed decisions about how you might configure diagnostic data in your organization. Diagnostic data is a term that means different things to different people and organizations. For this article, we discuss diagnostic data as system data that is uploaded by the Connected User Experiences and Telemetry component. The diagnostic data is used to help keep Windows devices secure by identifying malware trends and other threats and to help Microsoft improve the quality of Windows and Microsoft services. - -We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com. - -## Overview - -In previous versions of Windows and Windows Server, Microsoft used diagnostic data to check for updated or new Windows Defender signatures, check whether Windows Update installations were successful, gather reliability information through the Reliability Analysis Component (RAC), and gather reliability information through the Windows Customer Experience Improvement Program (CEIP) on Windows. In Windows 10 and Windows Server 2016, you can control diagnostic data streams by using the Privacy option in Settings, Group Policy, or MDM. - -For Windows 10, we invite IT pros to join the [Windows Insider Program](http://insider.windows.com) to give us feedback on what we can do to make Windows work better for your organization. - -## Understanding Windows diagnostic data - -Windows as a Service is a fundamental change in how Microsoft plans, builds, and delivers the operating system. Historically, we released a major Windows version every few years. The effort required to deploy large and infrequent Windows versions was substantial. That effort included updating the infrastructure to support the upgrade. Windows as a Service accelerates the cadence to provide rich updates more frequently, and these updates require substantially less effort to roll out than earlier versions of Windows. Since it provides more value to organizations in a shorter timeframe, delivering Windows as a Service is a top priority for us. - -The release cadence of Windows may be fast, so feedback is critical to its success. We rely on diagnostic data at each stage of the process to inform our decisions and prioritize our efforts. - -### What is Windows diagnostic data? -Windows diagnostic data is vital technical data from Windows devices about the device and how Windows and related software are performing. It's used in the following ways: - -- Keep Windows up to date -- Keep Windows secure, reliable, and performant -- Improve Windows – through the aggregate analysis of the use of Windows -- Personalize Windows engagement surfaces - -Here are some specific examples of Windows diagnostic data: - -- Type of hardware being used -- Applications installed and usage details -- Reliability information on device drivers - -### What is NOT diagnostic data? - -Diagnostic data can sometimes be confused with functional data. Some Windows components and apps connect to Microsoft services directly, but the data they exchange is not diagnostic data. For example, exchanging a user’s location for local weather or news is not an example of diagnostic data—it is functional data that the app or service requires to satisfy the user’s request. - -There are subtle differences between diagnostic data and functional data. Windows collects and sends diagnostic data in the background automatically. You can control how much information is gathered by setting the diagnostic data level. Microsoft tries to avoid collecting personal information wherever possible (for example, if a crash dump is collected and a document was in memory at the time of the crash). On the other hand, functional data can contain personal information. However, a user action, such as requesting news or asking Cortana a question, usually triggers collection and transmission of functional data. - -If you’re an IT pro that wants to manage Windows functional data sent from your organization to Microsoft, see [Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services). - -The following are specific examples of functional data: - -- Current location for weather -- Bing searches -- Wallpaper and desktop settings synced across multiple devices - -### Diagnostic data gives users a voice - -Windows and Windows Server diagnostic data gives every user a voice in the operating system’s development and ongoing improvement. It helps us understand how Windows 10 and Windows Server 2016 behaves in the real world, focus on user priorities, and make informed decisions that benefit them. For our enterprise customers, representation in the dataset on which we will make future design decisions is a real benefit. The following sections offer real examples of these benefits. - -### Drive higher app and driver quality - -Our ability to collect diagnostic data that drives improvements to Windows and Windows Server helps raise the bar for app and device driver quality. Diagnostic data helps us to quickly identify and fix critical reliability and security issues with apps and device drivers on given configurations. For example, we can identify an app that hangs on devices using a specific version of a video driver, allowing us to work with the app and device driver vendor to quickly fix the issue. The result is less downtime and reduced costs and increased productivity associated with troubleshooting these issues. - -#### Real-world example of how Windows diagnostic data helps -There was a version of a video driver that was crashing on some devices running Windows 10, causing the device to reboot. We detected the problem in our diagnostic data, and immediately contacted the third-party developer who builds the video driver. Working with the developer, we provided an updated driver to Windows Insiders within 24 hours. Based on diagnostic data from the Windows Insiders’ devices, we were able to validate the new version of the video driver, and rolled it out to the broad public as an update the next day. Diagnostic data helped us find, fix, and resolve this problem in just 48 hours, providing a better user experience and reducing costly support calls. - -### Improve end-user productivity - -Windows diagnostic data also helps Microsoft better understand how customers use (or do not use) the operating system’s features and related services. The insights we gain from this data helps us prioritize our engineering effort to directly impact our customers’ experiences. Examples are: - -- **Start menu.** How do people change the Start menu layout? Do they pin other apps to it? Are there any apps that they frequently unpin? We use this dataset to adjust the default Start menu layout to better reflect people’s expectations when they turn on their device for the first time. -- **Cortana.** We use diagnostic data to monitor the scalability of our cloud service, improving search performance. -- **Application switching.** Research and observations from earlier Windows versions showed that people rarely used Alt+Tab to switch between applications. After discussing this with some users, we learned they loved the feature, saying that it would be highly productive, but they did not know about it previously. Based on this, we created the Task View button in Windows 10 to make this feature more discoverable. Later diagnostic data showed significantly higher usage of this feature. - -**These examples show how the use of diagnostic data enables Microsoft to build or enhance features which can help organizations increase employee productivity while lowering help desk calls.** - - -### Insights into your own organization - -Sharing information with Microsoft helps make Windows and other products better, but it can also help make your internal processes and user experiences better, as well. Microsoft is in the process of developing a set of analytics customized for your internal use. The first of these, called [Upgrade Readiness](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness). - -#### Upgrade Readiness - -Upgrading to new operating system versions has traditionally been a challenging, complex, and slow process for many enterprises. Discovering applications and drivers and then testing them for potential compatibility issues have been among the biggest pain points. - -To better help customers through this difficult process, Microsoft developed Upgrade Readiness to give enterprises the tools to plan and manage the upgrade process end to end and allowing them to adopt new Windows releases more quickly and on an ongoing basis. - -With Windows diagnostic data enabled, Microsoft collects computer, application, and driver compatibility-related information for analysis. We then identify compatibility issues that can block your upgrade and suggest fixes when they are known to Microsoft. - -Use Upgrade Readiness to get: - -- A visual workflow that guides you from pilot to production -- Detailed computer, driver, and application inventory -- Powerful computer level search and drill-downs -- Guidance and insights into application and driver compatibility issues with suggested fixes -- Data driven application rationalization tools -- Application usage information, allowing targeted validation; workflow to track validation progress and decisions -- Data export to commonly used software deployment tools - -The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. - -## How is diagnostic data handled by Microsoft? - -### Data collection - -Windows 10 and Windows Server 2016 includes the Connected User Experiences and Telemetry component, which uses Event Tracing for Windows (ETW) tracelogging technology that gathers and stores diagnostic data events and data. The operating system and some Microsoft management solutions, such as System Center, use the same logging technology. - -1. Operating system features and some management applications are instrumented to publish events and data. Examples of management applications include Virtual Machine Manager (VMM), Server Manager, and Storage Spaces. -2. Events are gathered using public operating system event logging and tracing APIs. -3. You can configure the diagnostic data level by using MDM policy, Group Policy, or registry settings. -4. The Connected User Experiences and Telemetry component transmits the diagnostic data. - -Info collected at the Enhanced and Full levels of diagnostic data is typically gathered at a fractional sampling rate, which can be as low as 1% of devices reporting data at those levels. - -### Data transmission - -All diagnostic data is encrypted using SSL and uses certificate pinning during transfer from the device to the Microsoft Data Management Service. With Windows 10, data is uploaded on a schedule that is sensitive to event priority, battery use, and network cost. Real-time events, such as Windows Defender Advanced Threat Protection, are always sent immediately. Normal events are not uploaded on metered networks, unless you are on a metered server connection. On a free network, normal events can be uploaded every 4 hours if on battery, or every 15 minutes if on A/C power. Diagnostic and crash data are only uploaded on A/C power and free networks. - -The data transmitted at the Basic and Enhanced data diagnostic levels is quite small; typically less than 1 MB per device per day, but occasionally up to 2 MB per device per day). - - -### Endpoints - -The Microsoft Data Management Service routes data back to our secure cloud storage. Only Microsoft personnel with a valid business justification are permitted access. - -The following table defines the endpoints for Connected User Experiences and Telemetry component: - -Windows release | Endpoint ---- | --- -Windows 10, versions 1703 and 1709 | Diagnostics data: v10.vortex-win.data.microsoft.com/collect/v1

    Functional: v20.vortex-win.data.microsoft.com/collect/v1
    Windows Advanced Threat Protection is country specific and the prefix changes by country for example: **de**.vortex-win.data.microsoft.com/collect/v1
    settings-win.data.microsoft.com -Windows 10, version 1607 | v10.vortex-win.data.microsoft.com

    settings-win.data.microsoft.com - -The following table defines the endpoints for other diagnostic data services: - -| Service | Endpoint | -| - | - | -| [Windows Error Reporting](https://msdn.microsoft.com/library/windows/desktop/bb513641.aspx) | watson.telemetry.microsoft.com | -| [Online Crash Analysis](https://msdn.microsoft.com/library/windows/desktop/ee416349.aspx) | oca.telemetry.microsoft.com | -| OneDrive app for Windows 10 | vortex.data.microsoft.com/collect/v1 | - -### Data use and access - -The principle of least privileged access guides access to diagnostic data. Microsoft does not share personal data of our customers with third parties, except at the customer’s discretion or for the limited purposes described in the [Privacy Statement](https://privacy.microsoft.com/privacystatement). Microsoft may share business reports with OEMs and third-party partners that include aggregated and anonymized diagnostic data information. Data-sharing decisions are made by an internal team including privacy, legal, and data management. - -### Retention - -Microsoft believes in and practices information minimization. We strive to gather only the info we need and to store it only for as long as it’s needed to provide a service or for analysis. Much of the info about how Windows and apps are functioning is deleted within 30 days. Other info may be retained longer, such as error reporting data or Microsoft Store purchase history. - -## Diagnostic data levels -This section explains the different diagnostic data levels in Windows 10, Windows Server 2016, and System Center. These levels are available on all desktop and mobile editions of Windows 10, except for the **Security** level, which is limited to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016. - -The diagnostic data is categorized into four levels: - -- **Security**. Information that’s required to help keep Windows, Windows Server, and System Center secure, including data about the Connected User Experiences and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender. - -- **Basic**. Basic device info, including: quality-related data, app compatibility, and data from the **Security** level. - -- **Enhanced**. Additional insights, including: how Windows, Windows Server, System Center, and apps are used, how they perform, advanced reliability data, and data from both the **Basic** and the **Security** levels. - -- **Full**. All data necessary to identify and help to fix problems, plus data from the **Security**, **Basic**, and **Enhanced** levels. - -The levels are cumulative and are illustrated in the following diagram. Also, these levels apply to all editions of Windows Server 2016. - -![breakdown of diagnostic data levels and types of administrative controls](images/priv-telemetry-levels.png) - -### Security level - -The Security level gathers only the diagnostic data info that is required to keep Windows devices, Windows Server, and guests protected with the latest security updates. This level is only available on Windows Server 2016, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and Windows IoT Core editions. - -> [!NOTE] -> If your organization relies on Windows Update for updates, you shouldn’t use the **Security** level. Because no Windows Update information is gathered at this level, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates. - -Windows Server Update Services (WSUS) and System Center Configuration Manager functionality is not affected at this level, nor is diagnostic data about Windows Server features or System Center gathered. - -The data gathered at this level includes: - -- **Connected User Experiences and Telemetry component settings**. If general diagnostic data has been gathered and is queued, it is sent to Microsoft. Along with this diagnostic data, the Connected User Experiences and Telemetry component may download a configuration settings file from Microsoft’s servers. This file is used to configure the Connected User Experiences and Telemetry component itself. The data gathered by the client for this request includes OS information, device id (used to identify what specific device is requesting settings) and device class (for example, whether the device is server or desktop). - -- **Malicious Software Removal Tool (MSRT)** The MSRT infection report contains information, including device info and IP address. - - > [!NOTE] - > You can turn off the MSRT infection report. No MSRT information is included if MSRT is not used. If Windows Update is turned off, MSRT will not be offered to users. For more info, see Microsoft KB article [891716](https://support.microsoft.com/kb/891716). - -- **Windows Defender/Endpoint Protection**. Windows Defender and System Center Endpoint Protection requires some information to function, including: anti-malware signatures, diagnostic information, User Account Control settings, Unified Extensible Firmware Interface (UEFI) settings, and IP address. - - > [!NOTE] - > This reporting can be turned off and no information is included if a customer is using third-party antimalware software, or if Windows Defender is turned off. For more info, see [Windows Defender](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender). - - Microsoft recommends that Windows Update, Windows Defender, and MSRT remain enabled unless the enterprise uses alternative solutions such as Windows Server Update Services, System Center Configuration Manager, or a third-party antimalware solution. Windows Update, Windows Defender, and MSRT provide core Windows functionality such as driver and OS updates, including security updates. - -For servers with default diagnostic data settings and no Internet connectivity, you should set the diagnostic data level to **Security**. This stops data gathering for events that would not be uploaded due to the lack of Internet connectivity. - -No user content, such as user files or communications, is gathered at the **Security** diagnostic data level, and we take steps to avoid gathering any information that directly identifies a company or user, such as name, email address, or account ID. However, in rare circumstances, MSRT information may unintentionally contain personal information. For instance, some malware may create entries in a computer’s registry that include information such as a username, causing it to be gathered. MSRT reporting is optional and can be turned off at any time. - -### Basic level - -The Basic level gathers a limited set of data that’s critical for understanding the device and its configuration. This level also includes the **Security** level data. This level helps to identify problems that can occur on a specific hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a specific driver version. The Connected User Experiences and Telemetry component does not gather diagnostic data about System Center, but it can transmit diagnostic data for other non-Windows applications if they have user consent. - -The normal upload range for the Basic diagnostic data level is between 109 KB - 159 KB per day, per device. - -The data gathered at this level includes: - -- **Basic device data**. Helps provide an understanding about the types of Windows devices and the configurations and types of native and virtualized Windows Server 2016 in the ecosystem. Examples include: - - - Device attributes, such as camera resolution and display type - - - Internet Explorer version - - - Battery attributes, such as capacity and type - - - Networking attributes, such as number of network adapters, speed of network adapters, mobile operator network, and IMEI number - - - Processor and memory attributes, such as number of cores, architecture, speed, memory size, and firmware - - - Virtualization attribute, such as Second Level Address Translation (SLAT) support and guest operating system - - - Operating system attributes, such as Windows edition and virtualization state - - - Storage attributes, such as number of drives, type, and size - -- **Connected User Experiences and Telemetry component quality metrics**. Helps provide an understanding about how the Connected User Experiences and Telemetry component is functioning, including % of uploaded events, dropped events, and the last upload time. - -- **Quality-related information**. Helps Microsoft develop a basic understanding of how a device and its operating system are performing. Some examples are the device characteristics of a Connected Standby device, the number of crashes or hangs, and application state change details, such as how much processor time and memory were used, and the total uptime for an app. - -- **Compatibility data**. Helps provide an understanding about which apps are installed on a device or virtual machine and identifies potential compatibility problems. - - - **General app data and app data for Internet Explorer add-ons**. Includes a list of apps that are installed on a native or virtualized instance of the OS and whether these apps function correctly after an upgrade. This app data includes the app name, publisher, version, and basic details about which files have been blocked from usage. - - - **Internet Explorer add-ons**. Includes a list of Internet Explorer add-ons that are installed on a device and whether these apps will work after an upgrade. - - - **System data**. Helps provide an understanding about whether a device meets the minimum requirements to upgrade to the next version of the operating system. System information includes the amount of memory, as well as information about the processor and BIOS. - - - **Accessory device data**. Includes a list of accessory devices, such as printers or external storage devices, that are connected to Windows PCs and whether these devices will function after upgrading to a new version of the operating system. - - - **Driver data**. Includes specific driver usage that’s meant to help figure out whether apps and devices will function after upgrading to a new version of the operating system. This can help to determine blocking issues and then help Microsoft and our partners apply fixes and improvements. - -- **Microsoft Store**. Provides information about how the Microsoft Store performs, including app downloads, installations, and updates. It also includes Microsoft Store launches, page views, suspend and resumes, and obtaining licenses. - - -### Enhanced level - -The Enhanced level gathers data about how Windows and apps are used and how they perform. This level also includes data from both the **Basic** and **Security** levels. This level helps to improve the user experience with the operating system and apps. Data from this level can be abstracted into patterns and trends that can help Microsoft determine future improvements. - -This is the default level for Windows 10 Enterprise and Windows 10 Education editions, and the minimum level needed to quickly identify and address Windows, Windows Server, and System Center quality issues. - -The normal upload range for the Enhanced diagnostic data level is between 239 KB - 348 KB per day, per device. - -The data gathered at this level includes: - -- **Operating system events**. Helps to gain insights into different areas of the operating system, including networking, Hyper-V, Cortana, storage, file system, and other components. - -- **Operating system app events**. A set of events resulting from Microsoft applications and management tools that were downloaded from the Store or pre-installed with Windows or Windows Server, including Server Manager, Photos, Mail, and Microsoft Edge. - -- **Device-specific events**. Contains data about events that are specific to certain devices, such as Surface Hub and Microsoft HoloLens. For example, Microsoft HoloLens sends Holographic Processing Unit (HPU)-related events. - -- **Some crash dump types**. All crash dump types, except for heap dumps and full dumps. - -If the Connected User Experiences and Telemetry component detects a problem on Windows 10 that requires gathering more detailed instrumentation, the Connected User Experiences and Telemetry component at the **Enhanced** diagnostic data level will only gather data about the events associated with the specific issue. - -#### Limit Enhanced diagnostic data to the minimum required by Windows Analytics -Windows Analytics Device Health reports are powered by diagnostic data not included in the **Basic** level, such as crash reports and certain operating system events. In the past, organizations sending **Enhanced** or **Full** level diagnostic data were able to participate in Device Health. However, organizations that required detailed event and field level documentation were unable to move from **Basic** to **Enhanced**. - -In Windows 10, version 1709, we introduce the **Limit Enhanced diagnostic data to the minimum required by Windows Analytics** feature. When enabled, this feature lets you send only the following subset of **Enhanced** level diagnostic data. For more info about Device Health, see the [Monitor the health of devices with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-monitor) topic. - -- **Operating system events.** Limited to a small set required for analytics reports and documented in the [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](enhanced-diagnostic-data-windows-analytics-events-and-fields.md) topic. - -- **Some crash dump types.** All crash dump types, except for heap and full dumps. - -**To turn on this behavior for devices** - -1. Set the diagnostic data level to **Enhanced**, using either Group Policy or MDM. - - a. Using Group Policy, set the **Computer Configuration/Administrative Templates/Windows Components/Data Collection and Preview Builds/Allow telemetry** setting to **2**. - - -OR- - - b. Using MDM, use the Policy CSP to set the **System/AllowTelemetry** value to **2**. - - -AND- - -2. Enable the **LimitEnhancedDiagnosticDataWindowsAnalytics** setting, using either Group Policy or MDM. - - a. Using Group Policy, set the **Computer Configuration/Administrative Templates/Windows Components/Data collection and Preview builds/Limit Enhanced diagnostic data to the minimum required by Windows Analytics** setting to **Enabled**. - - -OR- - - b. Using MDM, use the Policy CSP to set the **System/LimitEnhancedDiagnosticDataWindowsAnalytics** value to **1**. - -### Full level - -The **Full** level gathers data necessary to identify and to help fix problems, following the approval process described below. This level also includes data from the **Basic**, **Enhanced**, and **Security** levels. This is the default level for Windows 10 Pro. - -Additionally, at this level, devices opted in to the [Windows Insider Program](http://insider.windows.com) will send events, such as reliability and app responsiveness. that can show Microsoft how pre-release binaries and features are performing. These events help us make decisions on which builds are flighted. All devices in the [Windows Insider Program](http://insider.windows.com) are automatically set to this level. - -If a device experiences problems that are difficult to identify or repeat using Microsoft’s internal testing, additional data becomes necessary. This data can include any user content that might have triggered the problem and is gathered from a small sample of devices that have both opted into the **Full** diagnostic data level and have exhibited the problem. - -However, before more data is gathered, Microsoft’s privacy governance team, including privacy and other subject matter experts, must approve the diagnostics request made by a Microsoft engineer. If the request is approved, Microsoft engineers can use the following capabilities to get the information: - -- Ability to run a limited, pre-approved list of Microsoft certified diagnostic tools, such as msinfo32.exe, powercfg.exe, and dxdiag.exe. - -- Ability to get registry keys. - -- All crash dump types, including heap dumps and full dumps. - -## Enterprise management - -Sharing diagnostic data with Microsoft provides many benefits to enterprises, so we do not recommend turning it off. For most enterprise customers, simply adjusting the diagnostic data level and managing specific components is the best option. - -Customers can set the diagnostic data level in both the user interface and with existing management tools. Users can change the diagnostic data level in the **Diagnostic data** setting. In the **Settings** app, it is in **Privacy\Feedback & diagnostics**. They can choose between Basic and Full. The Enhanced level will only be displayed as an option when Group Policy or Mobile Device Management (MDM) are invoked with this level. The Security level is not available. - -IT pros can use various methods, including Group Policy and Mobile Device Management (MDM), to choose a diagnostic data level. If you’re using Windows 10 Enterprise, Windows 10 Education, or Windows Server 2016, the Security diagnostic data level is available when managing the policy. Setting the diagnostic data level through policy sets the upper boundary for the users’ choices. To disable user choice after setting the level with the policy, you will need to use the "Configure telemetry opt-in setting user interface" group policy. The remainder of this section describes how to use group policy to configure levels and settings interface. - - -### Manage your diagnostic data settings - -We do not recommend that you turn off diagnostic data in your organization as valuable functionality may be impacted, but we recognize that in some scenarios this may be required. Use the steps in this section to do so for Windows, Windows Server, and System Center. - -> [!IMPORTANT] -> These diagnostic data levels only apply to Windows, Windows Server, and System Center components and apps that use the Connected User Experiences and Telemetry component. Non-Windows components, such as Microsoft Office or other 3rd-party apps, may communicate with their cloud services outside of these diagnostic data levels. You should work with your app vendors to understand their diagnostic data policy, and how you can to opt in or opt out. For more information on how Microsoft Office uses diagnostic data, see [Overview of Office Telemetry](https://technet.microsoft.com/library/jj863580.aspx). - -You can turn on or turn off System Center diagnostic data gathering. The default is on and the data gathered at this level represents what is gathered by default when System Center diagnostic data is turned on. However, setting the operating system diagnostic data level to **Basic** will turn off System Center diagnostic data, even if the System Center diagnostic data switch is turned on. - -The lowest diagnostic data setting level supported through management policies is **Security**. The lowest diagnostic data setting supported through the Settings UI is **Basic**. The default diagnostic data setting for Windows Server 2016 is **Enhanced**. - -### Configure the operating system diagnostic data level - -You can configure your operating system diagnostic data settings using the management tools you’re already using, such as Group Policy, MDM, or Windows Provisioning. You can also manually change your settings using Registry Editor. Setting your diagnostic data levels through a management policy sets the upper level for diagnostic data on the device. - -Use the appropriate value in the table below when you configure the management policy. - -| Level | Data gathered | Value | -| - | - | - | -| Security | Security data only. | **0** | -| Basic | Security data, and basic system and quality data. | **1** | -| Enhanced | Security data, basic system and quality data, and enhanced insights and advanced reliability data. | **2** | -| Full | Security data, basic system and quality data, enhanced insights and advanced reliability data, and full diagnostics data. | **3** | - - > [!NOTE] - > When the User Configuration policy is set for Diagnostic Data, this will override the Computer Configuration setting. - -### Use Group Policy to set the diagnostic data level - -Use a Group Policy object to set your organization’s diagnostic data level. - -1. From the Group Policy Management Console, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds**. - -2. Double-click **Allow Telemetry**. - -3. In the **Options** box, select the level that you want to configure, and then click **OK**. - -### Use MDM to set the diagnostic data level - -Use the [Policy Configuration Service Provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) to apply the System/AllowTelemetry MDM policy. - -### Use Registry Editor to set the diagnostic data level - -Use Registry Editor to manually set the registry level on each device in your organization or you can write a script to edit the registry. If a management policy already exists, such as Group Policy or MDM, it will override this registry setting. - -1. Open Registry Editor, and go to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection**. - -2. Right-click **DataCollection**, click New, and then click **DWORD (32-bit) Value**. - -3. Type **AllowTelemetry**, and then press ENTER. - -4. Double-click **AllowTelemetry**, set the desired value from the table above, and then click **OK.** - -5. Click **File** > **Export**, and then save the file as a .reg file, such as **C:\\AllowTelemetry.reg**. You can run this file from a script on each device in your organization. - -### Configure System Center 2016 diagnostic data - -For System Center 2016 Technical Preview, you can turn off System Center diagnostic data by following these steps: - -- Turn off diagnostic data by using the System Center UI Console settings workspace. - -- For information about turning off diagnostic data for Service Management Automation and Service Provider Foundation, see [How to disable telemetry for Service Management Automation and Service Provider Foundation](https://support.microsoft.com/kb/3096505). - -### Additional diagnostic data controls - -There are a few more settings that you can turn off that may send diagnostic data information: - -- To turn off Windows Update diagnostic data, you have two choices. Either turn off Windows Update, or set your devices to be managed by an on premises update server, such as [Windows Server Update Services (WSUS)](https://technet.microsoft.com/library/hh852345.aspx) or [System Center Configuration Manager](https://www.microsoft.com/server-cloud/products/system-center-2012-r2-configuration-manager/). - -- Turn off **Windows Defender Cloud-based Protection** and **Automatic sample submission** in **Settings** > **Update & security** > **Windows Defender**. - -- Manage the Malicious Software Removal Tool in your organization. For more info, see Microsoft KB article [891716](https://support.microsoft.com/kb/891716). - -- Turn off **Linguistic Data Collection** in **Settings** > **Privacy**. At diagnostic data levels **Enhanced** and **Full**, Microsoft uses Linguistic Data Collection info to improve language model features such as autocomplete, spellcheck, suggestions, input pattern recognition, and dictionary. - - > [!NOTE] - > Microsoft does not intend to gather sensitive information, such as credit card numbers, usernames and passwords, email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such events by using technologies to identify and remove sensitive information before linguistic data is sent from the user's device. If we determine that sensitive information has been inadvertently received, we delete the information. - -## Additional resources - -FAQs - -- [Cortana, Search, and privacy](https://privacy.microsoft.com/windows-10-cortana-and-privacy) -- [Windows 10 feedback, diagnostics, and privacy](https://privacy.microsoft.com/windows-10-feedback-diagnostics-and-privacy) -- [Windows 10 camera and privacy](https://privacy.microsoft.com/windows-10-camera-and-privacy) -- [Windows 10 location service and privacy](https://privacy.microsoft.com/windows-10-location-and-privacy) -- [Microsoft Edge and privacy](https://privacy.microsoft.com/windows-10-microsoft-edge-and-privacy) -- [Windows 10 speech, inking, typing, and privacy](https://privacy.microsoft.com/windows-10-speech-inking-typing-and-privacy-faq) -- [Windows Hello and privacy](https://privacy.microsoft.com/windows-10-windows-hello-and-privacy) -- [Wi-Fi Sense](https://privacy.microsoft.com/windows-10-about-wifi-sense) -- [Windows Update Delivery Optimization](https://privacy.microsoft.com/windows-10-windows-update-delivery-optimization) - -Blogs - -- [Privacy and Windows 10](https://blogs.windows.com/windowsexperience/2015/09/28/privacy-and-windows-10) - -Privacy Statement - -- [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) - -TechNet - -- [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) - -Web Pages - -- [Privacy at Microsoft](https://privacy.microsoft.com) - - +--- +description: Use this article to make informed decisions about how you can configure diagnostic data in your organization. +title: Configure Windows diagnostic data in your organization (Windows 10) +keywords: privacy +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: high +author: brianlic-msft +ms.date: 04/04/2018 +--- + +# Configure Windows diagnostic data in your organization + +**Applies to** + +- Windows 10 Enterprise +- Windows 10 Mobile +- Windows Server + +At Microsoft, we use Windows diagnostic data to inform our decisions and focus our efforts in providing the most robust, most valuable platform for your business and the people who count on Windows to enable them to be as productive as possible. Diagnostic data gives users a voice in the operating system’s development. This guide describes the importance of Windows diagnostic data and how we protect that data. Additionally, it differentiates between diagnostic data and functional data. It also describes the diagnostic data levels that Windows supports. Of course, you can choose how much diagnostic data is shared with Microsoft, and this guide demonstrates how. + +To frame a discussion about diagnostic data, it is important to understand Microsoft’s privacy principles. We earn customer trust every day by focusing on six key privacy principles as described at [privacy.microsoft.com](https://privacy.microsoft.com/). These principles guided the implementation of the Windows diagnostic data system in the following ways: + +- **Control.** We offer customers control of the diagnostic data they share with us by providing easy-to-use management tools. +- **Transparency.** We provide information about the diagnostic data that Windows and Windows Server collects so our customers can make informed decisions. +- **Security.** We encrypt diagnostic data in transit from your device via TLS 1.2, and additionally use certificate pinning to secure the connection. +- **Strong legal protections.** We respect customers’ local privacy laws and fight for legal protection of their privacy as a fundamental human right. +- **No content-based targeting.** We take steps to avoid and minimize the collection of customer content, such as the content of files, chats, or emails, through the Windows diagnostic data system. Customer content inadvertently collected is kept confidential and not used for user targeting. +- **Benefits to you.** We collect Windows diagnostic data to help provide you with an up-to-date, more secure, reliable and performant product, and to improve Windows for all our customers. + +This article applies to Windows and Windows Server diagnostic data only. Other Microsoft or third-party apps, such as System Center Configuration Manager, System Center Endpoint Protection, or System Center Data Protection Manager, might send data to their cloud services in ways that are inconsistent with this guide. Their publishers are responsible for notifying users of their privacy policies, diagnostic data controls, and so on. This article describes the types of diagnostic data we may gather, the ways you might manage it in your organization, and some examples of how diagnostic data can provide you with valuable insights into your enterprise deployments. Microsoft uses the data to quickly identify and address issues affecting its customers. + +Use this article to make informed decisions about how you might configure diagnostic data in your organization. Diagnostic data is a term that means different things to different people and organizations. For this article, we discuss diagnostic data as system data that is uploaded by the Connected User Experiences and Telemetry component. The diagnostic data is used to help keep Windows devices secure by identifying malware trends and other threats and to help Microsoft improve the quality of Windows and Microsoft services. + +We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com. + +## Overview + +In previous versions of Windows and Windows Server, Microsoft used diagnostic data to check for updated or new Windows Defender signatures, check whether Windows Update installations were successful, gather reliability information through the Reliability Analysis Component (RAC), and gather reliability information through the Windows Customer Experience Improvement Program (CEIP) on Windows. In Windows 10 and Windows Server 2016, you can control diagnostic data streams by using the Privacy option in Settings, Group Policy, or MDM. + +For Windows 10, we invite IT pros to join the [Windows Insider Program](http://insider.windows.com) to give us feedback on what we can do to make Windows work better for your organization. + +## Understanding Windows diagnostic data + +Windows as a Service is a fundamental change in how Microsoft plans, builds, and delivers the operating system. Historically, we released a major Windows version every few years. The effort required to deploy large and infrequent Windows versions was substantial. That effort included updating the infrastructure to support the upgrade. Windows as a Service accelerates the cadence to provide rich updates more frequently, and these updates require substantially less effort to roll out than earlier versions of Windows. Since it provides more value to organizations in a shorter timeframe, delivering Windows as a Service is a top priority for us. + +The release cadence of Windows may be fast, so feedback is critical to its success. We rely on diagnostic data at each stage of the process to inform our decisions and prioritize our efforts. + +### What is Windows diagnostic data? +Windows diagnostic data is vital technical data from Windows devices about the device and how Windows and related software are performing. It's used in the following ways: + +- Keep Windows up to date +- Keep Windows secure, reliable, and performant +- Improve Windows – through the aggregate analysis of the use of Windows +- Personalize Windows engagement surfaces + +Here are some specific examples of Windows diagnostic data: + +- Type of hardware being used +- Applications installed and usage details +- Reliability information on device drivers + +### What is NOT diagnostic data? + +Diagnostic data can sometimes be confused with functional data. Some Windows components and apps connect to Microsoft services directly, but the data they exchange is not diagnostic data. For example, exchanging a user’s location for local weather or news is not an example of diagnostic data—it is functional data that the app or service requires to satisfy the user’s request. + +There are subtle differences between diagnostic data and functional data. Windows collects and sends diagnostic data in the background automatically. You can control how much information is gathered by setting the diagnostic data level. Microsoft tries to avoid collecting personal information wherever possible (for example, if a crash dump is collected and a document was in memory at the time of the crash). On the other hand, functional data can contain personal information. However, a user action, such as requesting news or asking Cortana a question, usually triggers collection and transmission of functional data. + +If you’re an IT pro that wants to manage Windows functional data sent from your organization to Microsoft, see [Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services). + +The following are specific examples of functional data: + +- Current location for weather +- Bing searches +- Wallpaper and desktop settings synced across multiple devices + +### Diagnostic data gives users a voice + +Windows and Windows Server diagnostic data gives every user a voice in the operating system’s development and ongoing improvement. It helps us understand how Windows 10 and Windows Server 2016 behaves in the real world, focus on user priorities, and make informed decisions that benefit them. For our enterprise customers, representation in the dataset on which we will make future design decisions is a real benefit. The following sections offer real examples of these benefits. + +### Drive higher app and driver quality + +Our ability to collect diagnostic data that drives improvements to Windows and Windows Server helps raise the bar for app and device driver quality. Diagnostic data helps us to quickly identify and fix critical reliability and security issues with apps and device drivers on given configurations. For example, we can identify an app that hangs on devices using a specific version of a video driver, allowing us to work with the app and device driver vendor to quickly fix the issue. The result is less downtime and reduced costs and increased productivity associated with troubleshooting these issues. + +#### Real-world example of how Windows diagnostic data helps +There was a version of a video driver that was crashing on some devices running Windows 10, causing the device to reboot. We detected the problem in our diagnostic data, and immediately contacted the third-party developer who builds the video driver. Working with the developer, we provided an updated driver to Windows Insiders within 24 hours. Based on diagnostic data from the Windows Insiders’ devices, we were able to validate the new version of the video driver, and rolled it out to the broad public as an update the next day. Diagnostic data helped us find, fix, and resolve this problem in just 48 hours, providing a better user experience and reducing costly support calls. + +### Improve end-user productivity + +Windows diagnostic data also helps Microsoft better understand how customers use (or do not use) the operating system’s features and related services. The insights we gain from this data helps us prioritize our engineering effort to directly impact our customers’ experiences. Examples are: + +- **Start menu.** How do people change the Start menu layout? Do they pin other apps to it? Are there any apps that they frequently unpin? We use this dataset to adjust the default Start menu layout to better reflect people’s expectations when they turn on their device for the first time. +- **Cortana.** We use diagnostic data to monitor the scalability of our cloud service, improving search performance. +- **Application switching.** Research and observations from earlier Windows versions showed that people rarely used Alt+Tab to switch between applications. After discussing this with some users, we learned they loved the feature, saying that it would be highly productive, but they did not know about it previously. Based on this, we created the Task View button in Windows 10 to make this feature more discoverable. Later diagnostic data showed significantly higher usage of this feature. + +**These examples show how the use of diagnostic data enables Microsoft to build or enhance features which can help organizations increase employee productivity while lowering help desk calls.** + + +### Insights into your own organization + +Sharing information with Microsoft helps make Windows and other products better, but it can also help make your internal processes and user experiences better, as well. Microsoft is in the process of developing a set of analytics customized for your internal use. The first of these, called [Upgrade Readiness](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness). + +#### Upgrade Readiness + +Upgrading to new operating system versions has traditionally been a challenging, complex, and slow process for many enterprises. Discovering applications and drivers and then testing them for potential compatibility issues have been among the biggest pain points. + +To better help customers through this difficult process, Microsoft developed Upgrade Readiness to give enterprises the tools to plan and manage the upgrade process end to end and allowing them to adopt new Windows releases more quickly and on an ongoing basis. + +With Windows diagnostic data enabled, Microsoft collects computer, application, and driver compatibility-related information for analysis. We then identify compatibility issues that can block your upgrade and suggest fixes when they are known to Microsoft. + +Use Upgrade Readiness to get: + +- A visual workflow that guides you from pilot to production +- Detailed computer, driver, and application inventory +- Powerful computer level search and drill-downs +- Guidance and insights into application and driver compatibility issues with suggested fixes +- Data driven application rationalization tools +- Application usage information, allowing targeted validation; workflow to track validation progress and decisions +- Data export to commonly used software deployment tools + +The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. + +## How is diagnostic data handled by Microsoft? + +### Data collection + +Windows 10 and Windows Server 2016 includes the Connected User Experiences and Telemetry component, which uses Event Tracing for Windows (ETW) tracelogging technology that gathers and stores diagnostic data events and data. The operating system and some Microsoft management solutions, such as System Center, use the same logging technology. + +1. Operating system features and some management applications are instrumented to publish events and data. Examples of management applications include Virtual Machine Manager (VMM), Server Manager, and Storage Spaces. +2. Events are gathered using public operating system event logging and tracing APIs. +3. You can configure the diagnostic data level by using MDM policy, Group Policy, or registry settings. +4. The Connected User Experiences and Telemetry component transmits the diagnostic data. + +Info collected at the Enhanced and Full levels of diagnostic data is typically gathered at a fractional sampling rate, which can be as low as 1% of devices reporting data at those levels. + +### Data transmission + +All diagnostic data is encrypted using SSL and uses certificate pinning during transfer from the device to the Microsoft Data Management Service. With Windows 10, data is uploaded on a schedule that is sensitive to event priority, battery use, and network cost. Real-time events, such as Windows Defender Advanced Threat Protection, are always sent immediately. Normal events are not uploaded on metered networks, unless you are on a metered server connection. On a free network, normal events can be uploaded every 4 hours if on battery, or every 15 minutes if on A/C power. Diagnostic and crash data are only uploaded on A/C power and free networks. + +The data transmitted at the Basic and Enhanced data diagnostic levels is quite small; typically less than 1 MB per device per day, but occasionally up to 2 MB per device per day). + + +### Endpoints + +The Microsoft Data Management Service routes data back to our secure cloud storage. Only Microsoft personnel with a valid business justification are permitted access. + +The following table defines the endpoints for Connected User Experiences and Telemetry component: + +Windows release | Endpoint +--- | --- +Windows 10, versions 1703 and 1709 | Diagnostics data: v10.vortex-win.data.microsoft.com/collect/v1

    Functional: v20.vortex-win.data.microsoft.com/collect/v1
    Windows Advanced Threat Protection is country specific and the prefix changes by country for example: **de**.vortex-win.data.microsoft.com/collect/v1
    settings-win.data.microsoft.com +Windows 10, version 1607 | v10.vortex-win.data.microsoft.com

    settings-win.data.microsoft.com + +The following table defines the endpoints for other diagnostic data services: + +| Service | Endpoint | +| - | - | +| [Windows Error Reporting](https://msdn.microsoft.com/library/windows/desktop/bb513641.aspx) | watson.telemetry.microsoft.com | +| | ceuswatcab01.blob.core.windows.net | +| | ceuswatcab02.blob.core.windows.net | +| | eaus2watcab01.blob.core.windows.net | +| | eaus2watcab02.blob.core.windows.net | +| | weus2watcab01.blob.core.windows.net | +| | weus2watcab02.blob.core.windows.net | +| [Online Crash Analysis](https://msdn.microsoft.com/library/windows/desktop/ee416349.aspx) | oca.telemetry.microsoft.com | +| OneDrive app for Windows 10 | vortex.data.microsoft.com/collect/v1 | + +### Data use and access + +The principle of least privileged access guides access to diagnostic data. Microsoft does not share personal data of our customers with third parties, except at the customer’s discretion or for the limited purposes described in the [Privacy Statement](https://privacy.microsoft.com/privacystatement). Microsoft may share business reports with OEMs and third-party partners that include aggregated and anonymized diagnostic data information. Data-sharing decisions are made by an internal team including privacy, legal, and data management. + +### Retention + +Microsoft believes in and practices information minimization. We strive to gather only the info we need and to store it only for as long as it’s needed to provide a service or for analysis. Much of the info about how Windows and apps are functioning is deleted within 30 days. Other info may be retained longer, such as error reporting data or Microsoft Store purchase history. + +## Diagnostic data levels +This section explains the different diagnostic data levels in Windows 10, Windows Server 2016, and System Center. These levels are available on all desktop and mobile editions of Windows 10, except for the **Security** level, which is limited to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016. + +The diagnostic data is categorized into four levels: + +- **Security**. Information that’s required to help keep Windows, Windows Server, and System Center secure, including data about the Connected User Experiences and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender. + +- **Basic**. Basic device info, including: quality-related data, app compatibility, and data from the **Security** level. + +- **Enhanced**. Additional insights, including: how Windows, Windows Server, System Center, and apps are used, how they perform, advanced reliability data, and data from both the **Basic** and the **Security** levels. + +- **Full**. All data necessary to identify and help to fix problems, plus data from the **Security**, **Basic**, and **Enhanced** levels. + +The levels are cumulative and are illustrated in the following diagram. Also, these levels apply to all editions of Windows Server 2016. + +![breakdown of diagnostic data levels and types of administrative controls](images/priv-telemetry-levels.png) + +### Security level + +The Security level gathers only the diagnostic data info that is required to keep Windows devices, Windows Server, and guests protected with the latest security updates. This level is only available on Windows Server 2016, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and Windows IoT Core editions. + +> [!NOTE] +> If your organization relies on Windows Update for updates, you shouldn’t use the **Security** level. Because no Windows Update information is gathered at this level, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates. + +Windows Server Update Services (WSUS) and System Center Configuration Manager functionality is not affected at this level, nor is diagnostic data about Windows Server features or System Center gathered. + +The data gathered at this level includes: + +- **Connected User Experiences and Telemetry component settings**. If general diagnostic data has been gathered and is queued, it is sent to Microsoft. Along with this diagnostic data, the Connected User Experiences and Telemetry component may download a configuration settings file from Microsoft’s servers. This file is used to configure the Connected User Experiences and Telemetry component itself. The data gathered by the client for this request includes OS information, device id (used to identify what specific device is requesting settings) and device class (for example, whether the device is server or desktop). + +- **Malicious Software Removal Tool (MSRT)** The MSRT infection report contains information, including device info and IP address. + + > [!NOTE] + > You can turn off the MSRT infection report. No MSRT information is included if MSRT is not used. If Windows Update is turned off, MSRT will not be offered to users. For more info, see Microsoft KB article [891716](https://support.microsoft.com/kb/891716). + +- **Windows Defender/Endpoint Protection**. Windows Defender and System Center Endpoint Protection requires some information to function, including: anti-malware signatures, diagnostic information, User Account Control settings, Unified Extensible Firmware Interface (UEFI) settings, and IP address. + + > [!NOTE] + > This reporting can be turned off and no information is included if a customer is using third-party antimalware software, or if Windows Defender is turned off. For more info, see [Windows Defender](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender). + + Microsoft recommends that Windows Update, Windows Defender, and MSRT remain enabled unless the enterprise uses alternative solutions such as Windows Server Update Services, System Center Configuration Manager, or a third-party antimalware solution. Windows Update, Windows Defender, and MSRT provide core Windows functionality such as driver and OS updates, including security updates. + +For servers with default diagnostic data settings and no Internet connectivity, you should set the diagnostic data level to **Security**. This stops data gathering for events that would not be uploaded due to the lack of Internet connectivity. + +No user content, such as user files or communications, is gathered at the **Security** diagnostic data level, and we take steps to avoid gathering any information that directly identifies a company or user, such as name, email address, or account ID. However, in rare circumstances, MSRT information may unintentionally contain personal information. For instance, some malware may create entries in a computer’s registry that include information such as a username, causing it to be gathered. MSRT reporting is optional and can be turned off at any time. + +### Basic level + +The Basic level gathers a limited set of data that’s critical for understanding the device and its configuration. This level also includes the **Security** level data. This level helps to identify problems that can occur on a specific hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a specific driver version. The Connected User Experiences and Telemetry component does not gather diagnostic data about System Center, but it can transmit diagnostic data for other non-Windows applications if they have user consent. + +The normal upload range for the Basic diagnostic data level is between 109 KB - 159 KB per day, per device. + +The data gathered at this level includes: + +- **Basic device data**. Helps provide an understanding about the types of Windows devices and the configurations and types of native and virtualized Windows Server 2016 in the ecosystem. Examples include: + + - Device attributes, such as camera resolution and display type + + - Internet Explorer version + + - Battery attributes, such as capacity and type + + - Networking attributes, such as number of network adapters, speed of network adapters, mobile operator network, and IMEI number + + - Processor and memory attributes, such as number of cores, architecture, speed, memory size, and firmware + + - Virtualization attribute, such as Second Level Address Translation (SLAT) support and guest operating system + + - Operating system attributes, such as Windows edition and virtualization state + + - Storage attributes, such as number of drives, type, and size + +- **Connected User Experiences and Telemetry component quality metrics**. Helps provide an understanding about how the Connected User Experiences and Telemetry component is functioning, including % of uploaded events, dropped events, and the last upload time. + +- **Quality-related information**. Helps Microsoft develop a basic understanding of how a device and its operating system are performing. Some examples are the device characteristics of a Connected Standby device, the number of crashes or hangs, and application state change details, such as how much processor time and memory were used, and the total uptime for an app. + +- **Compatibility data**. Helps provide an understanding about which apps are installed on a device or virtual machine and identifies potential compatibility problems. + + - **General app data and app data for Internet Explorer add-ons**. Includes a list of apps that are installed on a native or virtualized instance of the OS and whether these apps function correctly after an upgrade. This app data includes the app name, publisher, version, and basic details about which files have been blocked from usage. + + - **Internet Explorer add-ons**. Includes a list of Internet Explorer add-ons that are installed on a device and whether these apps will work after an upgrade. + + - **System data**. Helps provide an understanding about whether a device meets the minimum requirements to upgrade to the next version of the operating system. System information includes the amount of memory, as well as information about the processor and BIOS. + + - **Accessory device data**. Includes a list of accessory devices, such as printers or external storage devices, that are connected to Windows PCs and whether these devices will function after upgrading to a new version of the operating system. + + - **Driver data**. Includes specific driver usage that’s meant to help figure out whether apps and devices will function after upgrading to a new version of the operating system. This can help to determine blocking issues and then help Microsoft and our partners apply fixes and improvements. + +- **Microsoft Store**. Provides information about how the Microsoft Store performs, including app downloads, installations, and updates. It also includes Microsoft Store launches, page views, suspend and resumes, and obtaining licenses. + + +### Enhanced level + +The Enhanced level gathers data about how Windows and apps are used and how they perform. This level also includes data from both the **Basic** and **Security** levels. This level helps to improve the user experience with the operating system and apps. Data from this level can be abstracted into patterns and trends that can help Microsoft determine future improvements. + +This is the default level for Windows 10 Enterprise and Windows 10 Education editions, and the minimum level needed to quickly identify and address Windows, Windows Server, and System Center quality issues. + +The normal upload range for the Enhanced diagnostic data level is between 239 KB - 348 KB per day, per device. + +The data gathered at this level includes: + +- **Operating system events**. Helps to gain insights into different areas of the operating system, including networking, Hyper-V, Cortana, storage, file system, and other components. + +- **Operating system app events**. A set of events resulting from Microsoft applications and management tools that were downloaded from the Store or pre-installed with Windows or Windows Server, including Server Manager, Photos, Mail, and Microsoft Edge. + +- **Device-specific events**. Contains data about events that are specific to certain devices, such as Surface Hub and Microsoft HoloLens. For example, Microsoft HoloLens sends Holographic Processing Unit (HPU)-related events. + +- **Some crash dump types**. All crash dump types, except for heap dumps and full dumps. + +If the Connected User Experiences and Telemetry component detects a problem on Windows 10 that requires gathering more detailed instrumentation, the Connected User Experiences and Telemetry component at the **Enhanced** diagnostic data level will only gather data about the events associated with the specific issue. + +#### Limit Enhanced diagnostic data to the minimum required by Windows Analytics +Windows Analytics Device Health reports are powered by diagnostic data not included in the **Basic** level, such as crash reports and certain operating system events. In the past, organizations sending **Enhanced** or **Full** level diagnostic data were able to participate in Device Health. However, organizations that required detailed event and field level documentation were unable to move from **Basic** to **Enhanced**. + +In Windows 10, version 1709, we introduce the **Limit Enhanced diagnostic data to the minimum required by Windows Analytics** feature. When enabled, this feature lets you send only the following subset of **Enhanced** level diagnostic data. For more info about Device Health, see the [Monitor the health of devices with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-monitor) topic. + +- **Operating system events.** Limited to a small set required for analytics reports and documented in the [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](enhanced-diagnostic-data-windows-analytics-events-and-fields.md) topic. + +- **Some crash dump types.** All crash dump types, except for heap and full dumps. + +**To turn on this behavior for devices** + +1. Set the diagnostic data level to **Enhanced**, using either Group Policy or MDM. + + a. Using Group Policy, set the **Computer Configuration/Administrative Templates/Windows Components/Data Collection and Preview Builds/Allow telemetry** setting to **2**. + + -OR- + + b. Using MDM, use the Policy CSP to set the **System/AllowTelemetry** value to **2**. + + -AND- + +2. Enable the **LimitEnhancedDiagnosticDataWindowsAnalytics** setting, using either Group Policy or MDM. + + a. Using Group Policy, set the **Computer Configuration/Administrative Templates/Windows Components/Data collection and Preview builds/Limit Enhanced diagnostic data to the minimum required by Windows Analytics** setting to **Enabled**. + + -OR- + + b. Using MDM, use the Policy CSP to set the **System/LimitEnhancedDiagnosticDataWindowsAnalytics** value to **1**. + +### Full level + +The **Full** level gathers data necessary to identify and to help fix problems, following the approval process described below. This level also includes data from the **Basic**, **Enhanced**, and **Security** levels. This is the default level for Windows 10 Pro. + +Additionally, at this level, devices opted in to the [Windows Insider Program](http://insider.windows.com) will send events, such as reliability and app responsiveness. that can show Microsoft how pre-release binaries and features are performing. These events help us make decisions on which builds are flighted. All devices in the [Windows Insider Program](http://insider.windows.com) are automatically set to this level. + +If a device experiences problems that are difficult to identify or repeat using Microsoft’s internal testing, additional data becomes necessary. This data can include any user content that might have triggered the problem and is gathered from a small sample of devices that have both opted into the **Full** diagnostic data level and have exhibited the problem. + +However, before more data is gathered, Microsoft’s privacy governance team, including privacy and other subject matter experts, must approve the diagnostics request made by a Microsoft engineer. If the request is approved, Microsoft engineers can use the following capabilities to get the information: + +- Ability to run a limited, pre-approved list of Microsoft certified diagnostic tools, such as msinfo32.exe, powercfg.exe, and dxdiag.exe. + +- Ability to get registry keys. + +- All crash dump types, including heap dumps and full dumps. + +## Enterprise management + +Sharing diagnostic data with Microsoft provides many benefits to enterprises, so we do not recommend turning it off. For most enterprise customers, simply adjusting the diagnostic data level and managing specific components is the best option. + +Customers can set the diagnostic data level in both the user interface and with existing management tools. Users can change the diagnostic data level in the **Diagnostic data** setting. In the **Settings** app, it is in **Privacy\Feedback & diagnostics**. They can choose between Basic and Full. The Enhanced level will only be displayed as an option when Group Policy or Mobile Device Management (MDM) are invoked with this level. The Security level is not available. + +IT pros can use various methods, including Group Policy and Mobile Device Management (MDM), to choose a diagnostic data level. If you’re using Windows 10 Enterprise, Windows 10 Education, or Windows Server 2016, the Security diagnostic data level is available when managing the policy. Setting the diagnostic data level through policy sets the upper boundary for the users’ choices. To disable user choice after setting the level with the policy, you will need to use the "Configure telemetry opt-in setting user interface" group policy. The remainder of this section describes how to use group policy to configure levels and settings interface. + + +### Manage your diagnostic data settings + +We do not recommend that you turn off diagnostic data in your organization as valuable functionality may be impacted, but we recognize that in some scenarios this may be required. Use the steps in this section to do so for Windows, Windows Server, and System Center. + +> [!IMPORTANT] +> These diagnostic data levels only apply to Windows, Windows Server, and System Center components and apps that use the Connected User Experiences and Telemetry component. Non-Windows components, such as Microsoft Office or other 3rd-party apps, may communicate with their cloud services outside of these diagnostic data levels. You should work with your app vendors to understand their diagnostic data policy, and how you can to opt in or opt out. For more information on how Microsoft Office uses diagnostic data, see [Overview of Office Telemetry](https://technet.microsoft.com/library/jj863580.aspx). + +You can turn on or turn off System Center diagnostic data gathering. The default is on and the data gathered at this level represents what is gathered by default when System Center diagnostic data is turned on. However, setting the operating system diagnostic data level to **Basic** will turn off System Center diagnostic data, even if the System Center diagnostic data switch is turned on. + +The lowest diagnostic data setting level supported through management policies is **Security**. The lowest diagnostic data setting supported through the Settings UI is **Basic**. The default diagnostic data setting for Windows Server 2016 is **Enhanced**. + +### Configure the operating system diagnostic data level + +You can configure your operating system diagnostic data settings using the management tools you’re already using, such as Group Policy, MDM, or Windows Provisioning. You can also manually change your settings using Registry Editor. Setting your diagnostic data levels through a management policy sets the upper level for diagnostic data on the device. + +Use the appropriate value in the table below when you configure the management policy. + +| Level | Data gathered | Value | +| - | - | - | +| Security | Security data only. | **0** | +| Basic | Security data, and basic system and quality data. | **1** | +| Enhanced | Security data, basic system and quality data, and enhanced insights and advanced reliability data. | **2** | +| Full | Security data, basic system and quality data, enhanced insights and advanced reliability data, and full diagnostics data. | **3** | + + > [!NOTE] + > When the User Configuration policy is set for Diagnostic Data, this will override the Computer Configuration setting. + +### Use Group Policy to set the diagnostic data level + +Use a Group Policy object to set your organization’s diagnostic data level. + +1. From the Group Policy Management Console, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds**. + +2. Double-click **Allow Telemetry**. + +3. In the **Options** box, select the level that you want to configure, and then click **OK**. + +### Use MDM to set the diagnostic data level + +Use the [Policy Configuration Service Provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) to apply the System/AllowTelemetry MDM policy. + +### Use Registry Editor to set the diagnostic data level + +Use Registry Editor to manually set the registry level on each device in your organization or you can write a script to edit the registry. If a management policy already exists, such as Group Policy or MDM, it will override this registry setting. + +1. Open Registry Editor, and go to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection**. + +2. Right-click **DataCollection**, click New, and then click **DWORD (32-bit) Value**. + +3. Type **AllowTelemetry**, and then press ENTER. + +4. Double-click **AllowTelemetry**, set the desired value from the table above, and then click **OK.** + +5. Click **File** > **Export**, and then save the file as a .reg file, such as **C:\\AllowTelemetry.reg**. You can run this file from a script on each device in your organization. + +### Configure System Center 2016 diagnostic data + +For System Center 2016 Technical Preview, you can turn off System Center diagnostic data by following these steps: + +- Turn off diagnostic data by using the System Center UI Console settings workspace. + +- For information about turning off diagnostic data for Service Management Automation and Service Provider Foundation, see [How to disable telemetry for Service Management Automation and Service Provider Foundation](https://support.microsoft.com/kb/3096505). + +### Additional diagnostic data controls + +There are a few more settings that you can turn off that may send diagnostic data information: + +- To turn off Windows Update diagnostic data, you have two choices. Either turn off Windows Update, or set your devices to be managed by an on premises update server, such as [Windows Server Update Services (WSUS)](https://technet.microsoft.com/library/hh852345.aspx) or [System Center Configuration Manager](https://www.microsoft.com/server-cloud/products/system-center-2012-r2-configuration-manager/). + +- Turn off **Windows Defender Cloud-based Protection** and **Automatic sample submission** in **Settings** > **Update & security** > **Windows Defender**. + +- Manage the Malicious Software Removal Tool in your organization. For more info, see Microsoft KB article [891716](https://support.microsoft.com/kb/891716). + +- Turn off **Linguistic Data Collection** in **Settings** > **Privacy**. At diagnostic data levels **Enhanced** and **Full**, Microsoft uses Linguistic Data Collection info to improve language model features such as autocomplete, spellcheck, suggestions, input pattern recognition, and dictionary. + + > [!NOTE] + > Microsoft does not intend to gather sensitive information, such as credit card numbers, usernames and passwords, email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such events by using technologies to identify and remove sensitive information before linguistic data is sent from the user's device. If we determine that sensitive information has been inadvertently received, we delete the information. + +## Additional resources + +FAQs + +- [Cortana, Search, and privacy](https://privacy.microsoft.com/windows-10-cortana-and-privacy) +- [Windows 10 feedback, diagnostics, and privacy](https://privacy.microsoft.com/windows-10-feedback-diagnostics-and-privacy) +- [Windows 10 camera and privacy](https://privacy.microsoft.com/windows-10-camera-and-privacy) +- [Windows 10 location service and privacy](https://privacy.microsoft.com/windows-10-location-and-privacy) +- [Microsoft Edge and privacy](https://privacy.microsoft.com/windows-10-microsoft-edge-and-privacy) +- [Windows 10 speech, inking, typing, and privacy](https://privacy.microsoft.com/windows-10-speech-inking-typing-and-privacy-faq) +- [Windows Hello and privacy](https://privacy.microsoft.com/windows-10-windows-hello-and-privacy) +- [Wi-Fi Sense](https://privacy.microsoft.com/windows-10-about-wifi-sense) +- [Windows Update Delivery Optimization](https://privacy.microsoft.com/windows-10-windows-update-delivery-optimization) + +Blogs + +- [Privacy and Windows 10](https://blogs.windows.com/windowsexperience/2015/09/28/privacy-and-windows-10) + +Privacy Statement + +- [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) + +TechNet + +- [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) + +Web Pages + +- [Privacy at Microsoft](https://privacy.microsoft.com) + + diff --git a/windows/privacy/diagnostic-data-viewer-overview.md b/windows/privacy/diagnostic-data-viewer-overview.md index dc82af4768..c3e3209466 100644 --- a/windows/privacy/diagnostic-data-viewer-overview.md +++ b/windows/privacy/diagnostic-data-viewer-overview.md @@ -16,6 +16,7 @@ ms.date: 01/17/2018 **Applies to** +- Windows 10, version 1809 - Windows 10, version 1803 ## Introduction @@ -78,7 +79,7 @@ The Diagnostic Data Viewer provides you with the following features to view and To signify your contribution, you’ll see this icon (![Icon to review the device-level sampling](images/ddv-device-sample.png)) if your device is part of the group. In addition, if any of your diagnostic data events are sent from your device to Microsoft to help make improvements, you’ll see this icon (![Icon to review the event-level sampling](images/ddv-event-sample.png)). -- **Provide diagnostic event feedback.** The **Feedback** icon opens the Feedback Hub app, letting you provide feedback about the Diagnostic Data Viewer and the diagnostic events. +- **Provide diagnostic event feedback.** The **Feedback** icon in the upper right corner of the window opens the Feedback Hub app, letting you provide feedback about the Diagnostic Data Viewer and the diagnostic events. Selecting a specific event in the Diagnostic Data Viewer automatically fills in the field in the Feedback Hub. You can add your comments to the box labeled, **Give us more detail (optional)**. @@ -96,12 +97,22 @@ When you're done reviewing your diagnostic data, you should turn of data viewing ![Location to turn off data viewing](images/ddv-settings-off.png) ## View additional diagnostic data in the View problem reports tool -You can review additional Windows Error Reporting diagnostic data in the **View problem reports** tool. This tool provides you with a summary of various crash reports that are sent to Microsoft as part of Windows Error Reporting. We use this data to find and fix specific issues that are hard to replicate and to improve the Windows operating system. +Available on Windows 1809 and higher, you can review additional Windows Error Reporting diagnostic data in the **View problem reports** page within the Diagnostic Data Viewer. +This page provides you with a summary of various crash reports that are sent to Microsoft as part of Windows Error Reporting. +We use this data to find and fix specific issues that are hard to replicate and to improve the Windows operating system. -**To view your Windows Error Reporting diagnostic data** -1. Go to **Start**, select **Control Panel** > **All Control Panel Items** > **Security and Maintenance** > **Problem Reports**.

    -OR-

    - Go to **Start** and search for _Problem Reports_. +You can also use the Windows Error Reporting tool available in the Control Panel. - The **Review problem reports** tool opens, showing you your Windows Error Reporting reports, along with a status about whether it was sent to Microsoft. +**To view your Windows Error Reporting diagnostic data using the Diagnostic Data Viewer** - ![View problem reports tool with report statuses](images/ddv-problem-reports-screen.png) +Starting with Windows 1809 and higher, you can review Windows Error Reporting diagnostic data in the Diagnostic Data Viewer. + +![Starting with Windows 1809 and higher, you can review Windows Error Reporting diagnostic data in the Diagnostic Data Viewer](images/ddv-problem-reports.png) + +**To view your Windows Error Reporting diagnostic data using the Control Panel** + +Go to **Start**, select **Control Panel** > **All Control Panel Items** > **Security and Maintenance** > **Problem Reports**.

    -OR-

    +Go to **Start** and search for _Problem Reports_. +The **Review problem reports** tool opens, showing you your Windows Error Reporting reports, along with a status about whether it was sent to Microsoft. + +![View problem reports tool with report statuses](images/control-panel-problem-reports-screen.png) diff --git a/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md b/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md index 3f4c11004e..8952d30367 100644 --- a/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md +++ b/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md @@ -1,6 +1,6 @@ --- description: Use this article to learn more about the enhanced diagnostic data events used by Windows Analytics -title: Windows 10, version 1709 enhanced telemtry events and fields used by Windows Analytics (Windows 10) +title: Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics (Windows 10) keywords: privacy, diagnostic data ms.prod: w10 ms.mktglfcycl: manage @@ -8,8 +8,8 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: high ms.date: 10/16/2017 -author: jaimeo -ms.author: jaimeo +author: danihalfin +ms.author: daniha --- @@ -57,6 +57,184 @@ The following fields are available: - **WriteCountAtExit_Sum:** Total number of IO writes for a process when it exited - **WriteSizeInKBAtExit_Sum:** Total size of IO writes for a process when it exited +## Microsoft.Office.TelemetryEngine.IsPreLaunch +Applicable for Office UWP applications. This event is fired when an office application is initiated for the first-time post upgrade/install from the store. This is part of basic diagnostic data, used to track whether a particular session is launch session or not. + +- **appVersionBuild:** Third part of the version *.*.XXXXX.* +- **appVersionMajor:** First part of the version X.*.*.* +- **appVersionMinor:** Second part of the version *.X.*.* +- **appVersionRev:** Fourth part of the version *.*.*.XXXXX +- **SessionID:** ID of the session + +## Microsoft.Office.SessionIdProvider.OfficeProcessSessionStart +This event sends basic information upon the start of a new Office session. This is used to count the number of unique sessions seen on a given device. This is used as a heartbeat event to ensure that the application is running on a device or not. In addition, it serves as a critical signal for overall application reliability. + +- **AppSessionGuid:** ID of the session which maps to the process of the application +- **processSessionId:** ID of the session which maps to the process of the application + +## Microsoft.Office.TelemetryEngine.SessionHandOff +Applicable to Win32 Office applications. This event helps us understand whether there was a new session created to handle a user-initiated file open event. It is a critical diagnostic information that is used to derive reliability signal and ensure that the application is working as expected. + +- **appVersionBuild:** Third part Build version of the application *.*.XXXXX.* +- **appVersionMajor:** First part of the version X.*.*.* +- **appVersionMinor:** Second part of the version *.X.*.* +- **appVersionRev:** Fourth part of the version *.*.*.XXXXX +- **childSessionID:** Id of the session that was created to handle the user initiated file open +- **parentSessionId:** ID of the session that was already running + +## Microsoft.Office.CorrelationMetadata.UTCCorrelationMetadata +Collects Office metadata through UTC to compare with equivalent data collected through the Office telemetry pipeline to check correctness and completeness of data. + +- **abConfigs:** List of features enabled for this session +- **abFlights:** List of features enabled for this session +- **AppSessionGuid:** ID of the session +- **appVersionBuild:** Third part Build version of the application *.*.XXXXX.* +- **appVersionMajor:** First part of the version X.*.*.* +- **appVersionMinor:** Second part of the version *.X.*.* +- **appVersionRevision:** Fourth part of the version *.*.*.XXXXX +- **audienceGroup:** Is this part of the insiders or production +- **audienceId:** ID of the audience setting +- **channel:** Are you part of Semi annual channel or Semi annual channel-Targeted? +- **deviceClass:** Is this a desktop or a mobile? +- **impressionId:** What features were available to you in this session +- **languageTag:** Language of the app +- **officeUserID:** A unique identifier tied to the office installation on a particular device. +- **osArchitecture:** Is the machine 32 bit or 64 bit? +- **osEnvironment:** Is this a win32 app or a UWP app? +- **osVersionString:** Version of the OS +- **sessionID:** ID of the session + +## Microsoft.Office.ClickToRun.UpdateStatus +Applicable to all Win32 applications. Helps us understand the status of the update process of the office suite (Success or failure with error details). + +- **build:** App version +- **channel:** Is this part of SAC or SAC-T? +- **errorCode:** What error occurred during the upgrade process? +- **errorMessage:** what was the error message during the upgrade process? +- **status:** Was the upgrade successful or not? +- **targetBuild:** What app version were we trying to upgrade to? + +## Microsoft.Office.TelemetryEngine.FirstIdle +This event is fired when the telemetry engine within an office application is ready to send telemetry. Used for understanding whether there are issues in telemetry. + +- **appVersionBuild:** Third part of the version *.*.XXXXX.* +- **appVersionMajor:** First part of the version X.*.*.* +- **appVersionMinor:** Second part of the version *.X.*.* +- **appVersionRev:** Fourth part of the version *.*.*.XXXXX +- **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user +- **SessionID:** ID of the session + +## Microsoft.Office.TelemetryEngine.FirstProcessed +This event is fired when the telemetry engine within an office application has processed the rules or the list of events that we need to collect. Used for understanding whether there are issues in telemetry. + +- **appVersionBuild:** Third part of the version *.*.XXXXX.* +- **appVersionMajor:** First part of the version X.*.*.* +- **appVersionMinor:** Second part of the version *.X.*.* +- **appVersionRev:** Fourth part of the version *.*.*.XXXXX +- **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user +- **SessionID:** ID of the session + +## Microsoft.Office.TelemetryEngine.FirstRuleRequest +This event is fired when the telemetry engine within an office application has received the first rule or list of events that need to be sent by the app. Used for understanding whether there are issues in telemetry. + +- **appVersionBuild:** Third part of the version *.*.XXXXX.* +- **appVersionMajor:** First part of the version X.*.*.* +- **appVersionMinor:** Second part of the version *.X.*.* +- **appVersionRev:** Fourth part of the version *.*.*.XXXXX +- **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user +- **SessionID:** ID of the session + +## Microsoft.Office.TelemetryEngine.Init +This event is fired when the telemetry engine within an office application has been initialized or not. Used for understanding whether there are issues in telemetry. + +- **appVersionBuild:** Third part of the version *.*.XXXXX.* +- **appVersionMajor:** First part of the version X.*.*.* +- **appVersionMinor:** Second part of the version *.X.*.* +- **appVersionRev:** Fourth part of the version *.*.*.XXXXX +- **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user +- **SessionID:** ID of the session + +## Microsoft.Office.TelemetryEngine.Resume +This event is fired when the application resumes from sleep state. Used for understanding whether there are issues in the application life-cycle. + +- **appVersionBuild:** Third part of the version *.*.XXXXX.* +- **appVersionMajor:** First part of the version X.*.*.* +- **appVersionMinor:** Second part of the version *.X.*.* +- **appVersionRev:** Fourth part of the version *.*.*.XXXXX +- **maxSequenceIdSeen:** How many events from this session have seen so far? +- **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user +- **rulesSubmittedBeforeResume:** How many events were submitted before the process was resumed? +- **SessionID:** ID of the session + +## Microsoft.Office.TelemetryEngine.RuleRequestFailed +This event is fired when the telemetry engine within an office application fails to retrieve the rules containing the list of telemetry events. Used for understanding whether there are issues in telemetry. + +- **appVersionBuild:** Third part of the version *.*.XXXXX.* +- **appVersionMajor:** First part of the version X.*.*.* +- **appVersionMinor:** Second part of the version *.X.*.* +- **appVersionRev:** Fourth part of the version *.*.*.XXXXX +- **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user +- **SessionID:** ID of the session + +## Microsoft.Office.TelemetryEngine.RuleRequestFailedDueToClientOffline +This event is fired when the telemetry engine within an office application fails to retrieve the rules containing the list of telemetry events, when the device is offline. Used for understanding whether there are issues in telemetry. + +- **appVersionBuild:** Third part of the version *.*.XXXXX.* +- **appVersionMajor:** First part of the version X.*.*.* +- **appVersionMinor:** Second part of the version *.X.*.* +- **appVersionRev:** Fourth part of the version *.*.*.XXXXX +- **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user +- **SessionID:** ID of the session + +## Microsoft.Office.TelemetryEngine.ShutdownComplete +This event is fired when the telemetry engine within an office application has processed the rules or the list of events that we need to collect. Useful for understanding whether a particular crash is happening during an app-shutdown, and could potentially lead in data loss or not. + +- **appVersionBuild:** Third part of the version *.*.XXXXX.* +- **appVersionMajor:** First part of the version X.*.*.* +- **appVersionMinor:** Second part of the version *.X.*.* +- **appVersionRev:** Fourth part of the version *.*.*.XXXXX +- **maxSequenceIdSeen:** How many events from this session have seen so far? +- **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user +- **rulesSubmittedBeforeResume:** How many events were submitted before the process was resumed? +- **SessionID:** ID of the session + +## Microsoft.Office.TelemetryEngine.ShutdownStart +This event is fired when the telemetry engine within an office application been uninitialized, and the application is shutting down. Useful for understanding whether a particular crash is happening during an app-shutdown, and could potentially lead in data loss or not. + +- **appVersionBuild:** Third part of the version *.*.XXXXX.* +- **appVersionMajor:** First part of the version X.*.*.* +- **appVersionMinor:** Second part of the version *.X.*.* +- **appVersionRev:** Fourth part of the version *.*.*.XXXXX +- **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user +- **rulesSubmittedBeforeResume:** How many events were submitted before the process was resumed? +- **SessionID:** ID of the session + +## Microsoft.Office.TelemetryEngine.SuspendComplete +This event is fired when the telemetry engine within an office application has processed the rules or the list of events that we need to collect. Used for understanding whether there are issues in telemetry. + +- **appVersionBuild:** Third part of the version *.*.XXXXX.* +- **appVersionMajor:** First part of the version X.*.*.* +- **appVersionMinor:** Second part of the version *.X.*.* +- **appVersionRev:** Fourth part of the version *.*.*.XXXXX +- **maxSequenceIdSeen:** How many events from this session have seen so far? +- **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user +- **rulesSubmittedBeforeResume:** How many events were submitted before the process was resumed? +- **SessionID:** ID of the session +- **SuspendType:** Type of suspend + +## Microsoft.Office.TelemetryEngine.SuspendStart +This event is fired when the office application suspends as per app life-cycle change. Used for understanding whether there are issues in the application life-cycle. + +- **appVersionBuild:** Third part of the version *.*.XXXXX.* +- **appVersionMajor:** First part of the version X.*.*.* +- **appVersionMinor:** Second part of the version *.X.*.* +- **appVersionRev:** Fourth part of the version *.*.*.XXXXX +- **maxSequenceIdSeen:** How many events from this session have seen so far? +- **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user +- **rulesSubmittedBeforeResume:** How many events were submitted before the process was resumed? +- **SessionID:** ID of the session +- **SuspendType:** Type of suspend + ## Microsoft.OSG.OSS.CredProvFramework.ReportResultStop This event indicates the result of an attempt to authenticate a user with a credential provider. It helps Microsoft to improve logon reliability. Using this event with Windows Analytics can help organizations monitor and improve logon success for different methods (for example, biometric) on managed devices. @@ -251,7 +429,13 @@ The following fields are available: - **WindowHeight:** Number of vertical pixels in the application window - **WindowWidth:** Number of horizontal pixels in the application window -# Revisions to the diagnostic data events and fields +## Revisions -## PartA_UserSid removed -A previous revision of this list stated that a field named PartA_UserSid was a member of the event Microsoft.Windows.LogonController.LogonAndUnlockSubmit. This was incorrect. The list has been updated to reflect that no such field is present in the event. Note that you can use the Windows Diagnostic Data Viewer to review the contents of the event. +### PartA_UserSid removed +A previous revision of this list stated that a field named PartA_UserSid was a member of the event Microsoft.Windows.LogonController.LogonAndUnlockSubmit. This was incorrect. The list has been updated to reflect that no such field is present in the event. + +### Office events added +In Windows 10, version 1809 (also applies to versions 1709 and 1803 starting with [KB 4462932](https://support.microsoft.com/help/4462932/windows-10-update-kb4462932) and [KB 4462933](https://support.microsoft.com/help/4462933/windows-10-update-kb4462933) respectively), 16 events were added, describing Office app launch and availability. These events were added to improve the precision of Office data in Windows Analytics. + +>[!NOTE] +>You can use the Windows Diagnostic Data Viewer to observe and review events and their fields as described in this topic. diff --git a/windows/privacy/gdpr-it-guidance.md b/windows/privacy/gdpr-it-guidance.md index dd46e67249..d7673c5f3d 100644 --- a/windows/privacy/gdpr-it-guidance.md +++ b/windows/privacy/gdpr-it-guidance.md @@ -1,5 +1,5 @@ --- -title: Windows 10 and the GDPR for IT Decision Makers +title: Windows and the GDPR-Information for IT Administrators and Decision Makers description: Use this topic to understand the relationship between users in your organization and Microsoft in the context of the GDPR (General Data Protection Regulation). keywords: privacy, GDPR, windows, IT ms.prod: w10 @@ -11,12 +11,17 @@ author: danihalfin ms.author: daniha ms.date: 05/11/2018 --- -# Windows 10 and the GDPR for IT Decision Makers +# Windows and the GDPR: Information for IT Administrators and Decision Makers Applies to: +- Windows 10, version 1809 - Windows 10, version 1803 - Windows 10, version 1709 - Windows 10, version 1703 +- Windows 10 Team Edition, version 1703 for Surface Hub +- Windows Server 2019 +- Windows Server 2016 +- Windows Analytics This topic provides IT Decision Makers with a basic understanding of the relationship between users in an organization and Microsoft in the context of the GDPR (General Data Protection Regulation). You will also learn what role an IT organization plays for that relationship. @@ -35,7 +40,7 @@ Here are some GDPR fundamentals: * The European law establishes strict global data privacy requirements governing how organizations manage and protect personal data while respecting individual choice – no matter where data is sent, processed, or stored. * A request by an individual to an organization to take an action on their personal data is referred to here as a *data subject request*, or *DSR*. -Microsoft believes data privacy is a fundamental right, and that the GDPR is an important step forward for clarifying and enabling individual privacy rights. We also recognize that the GDPR requires significant changes by organizations all over the world with regard to the discovery, management, protection, and reporting of personal data that is collected, processed, and stored within an organization. +Microsoft believes data privacy is a fundamental right, and that the GDPR is an important step forward for clarifying and enabling individual privacy rights. We also recognize that the GDPR required significant changes by organizations all over the world with regard to the discovery, management, protection, and reporting of personal data that is collected, processed, and stored within an organization. ### What is personal data under the GDPR? @@ -87,7 +92,7 @@ It is important to differentiate between two distinct types of data Windows serv A user action, such as performing a Skype call, usually triggers the collection and transmission of Windows *functional data*. Some Windows components and applications connecting to Microsoft services also exchange Windows functional data to provide user functionality. Some other examples of Windows functional data: -* The Weather app which uses the device’s location to retrieve local weather or community news. +* The Weather app which can use the device’s location to retrieve local weather or community news. * Wallpaper and desktop settings that are synchronized across multiple devices. For more info on how IT Professionals can manage Windows functional data sent from an organization to Microsoft, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). @@ -100,10 +105,10 @@ Some examples of diagnostic data include: * The type of hardware being used, information about installed apps and usage details, and reliability data on drivers running on the device. * For users who have turned on “Tailored experiences”, it can be used to offer personalized tips, ads, and recommendations to enhance Microsoft products and services for the needs of the user. -To find more about what information is collected, how it is handled, and the available Windows diagnostic data levels, see [Understanding Windows diagnostic data](configure-windows-diagnostic-data-in-your-organization.md#understanding-windows-diagnostic-data) and [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). +Diagnostic data is categorized into the levels "Security", "Basic", "Enhanced", and "Full". For a detailed discussion about these diagnostic data levels please see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). To find more about what information is collected and how it is handled, see [Understanding Windows diagnostic data](configure-windows-diagnostic-data-in-your-organization.md#understanding-windows-diagnostic-data). >[!IMPORTANT] ->Other Microsoft services as well as 3rd party applications and drivers running on Windows devices may implement their own functionality, independently from Windows, to transport their diagnostic data to the respective publisher. Please contact them for further guidance on how to control the diagnostic data collection level and transmission of these publishers. +>Other Microsoft services as well as 3rd party applications and drivers running on Windows devices may implement their own functionality, independently from Windows, to transport their diagnostic data. Please contact the publisher for further guidance on how to control the diagnostic data collection level and transmission of these applications and services. ### Windows services where Microsoft is the processor under the GDPR @@ -123,7 +128,7 @@ As a result, in terms of the GDPR, the organization that has subscribed to Windo >The IT organization must explicitly enable Windows Analytics for a device after the organization subscribes. >[!IMPORTANT] ->Windows Analytics does not collect Windows Diagnostic data by itself. Instead, Windows Analytics only uses a subset of Windows Diagnostic data that is collected by Windows for a particular device. The Windows Diagnostic data collection is controlled by the IT department of an organization or the user of a device. +>Windows Analytics does not collect Windows Diagnostic data by itself. Instead, Windows Analytics only uses a subset of Windows Diagnostic data that is collected by Windows for an enrolled device. The Windows Diagnostic data collection is controlled by the IT department of an organization or the user of a device. #### Windows Defender ATP @@ -140,27 +145,43 @@ The following table lists in what GDPR mode – controller or processor – Wind | Service | Microsoft GDPR mode of operation | | --- | --- | -| Windows Functional data | Controller | +| Windows Functional data | Controller or Processor* | | Windows Diagnostic data | Controller | | Windows Analytics | Processor | | Windows Defender Advanced Threat Detection (ATP) | Processor | *Table 1: Windows 10 GDPR modes of operations for different Windows 10 services* -## Recommended diagnostic data level settings +*/*Depending on which application/feature this is referring to.* -Windows diagnostic data collection level can be set by a user in Windows (*Start > Settings > Privacy > Diagnostics & feedback*) or by the IT department of an organization, using Group Policy or Mobile Device Management (MDM) techniques. +## Windows diagnostic data and Windows 10 -* For Windows 10, version 1803, Microsoft recommends setting the Windows diagnostic level to “Enhanced”. This enables organizations to get the full functionality of [Windows Analytics](#windows-analytics). Those organizations who wish to share the smallest set of events for Windows Analytics can use the “Limit Enhanced diagnostic data to the minimum required by Windows Analytics” filtering mechanism that Microsoft introduced in Windows 10, version 1709. When enabled, this feature limits the operating system diagnostic data events included in the Enhanced level to the smallest set of data required by Windows Analytics. + +### Recommended Windows 10 settings + +Windows diagnostic data collection level for Windows 10 can be set by a user in Windows (*Start > Settings > Privacy > Diagnostics & feedback*) or by the IT department of an organization, using Group Policy or Mobile Device Management (MDM) techniques. + +* For Windows 10, version 1803 and version 1809, Microsoft recommends setting the Windows diagnostic level to “Enhanced”. This enables organizations to get the full functionality of [Windows Analytics](#windows-analytics). >[!NOTE] >For more information on the Enhanced level, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). * For Windows 10, version 1709, and Windows 10, version 1703, the recommended Windows diagnostic level configuration for EEA and Switzerland commercial users is “Basic”. -* For Windows 7, Microsoft recommends configuring enterprise devices for Windows Analytics to facilitate upgrade planning to Windows 10. +>[!NOTE] +>For Windows 7, Microsoft recommends [configuring enterprise devices for Windows Analytics](/windows/deployment/update/windows-analytics-get-started) to facilitate upgrade planning to Windows 10. -## Controlling the data collection and notification about it +### Additional information for Windows Analytics + +Some Windows Analytics solutions and functionality, such as Update Compliance, works with “Basic” as minimum Windows diagnostic level. Other solutions and functionality of Windows Analytics, such as Device Health, require “Enhanced”. + +Those organizations who wish to share the smallest set of events for Windows Analytics and have set the Windows diagnostic level to “Enhanced” can use the “Limit Enhanced diagnostic data to the minimum required by Windows Analytics” setting. This filtering mechanism was that Microsoft introduced in Windows 10, version 1709. When enabled, this feature limits the operating system diagnostic data events included in the Enhanced level to the smallest set of data required by Windows Analytics. + +>[!NOTE] +>Additional information can be found at [Windows Analytics and privacy](/windows/deployment/update/windows-analytics-privacy +). + +## Controlling Windows 10 data collection and notification about it Windows 10 sends diagnostic data to Microsoft services, and some of that data can contain personal data. Both the user and the IT organization have the ability to control the transmission of that data to Microsoft. @@ -200,10 +221,38 @@ IT Professionals that are interested in this configuration, see [Windows 10 pers To find out more about the network connections that Windows components make to Microsoft as well as the privacy settings that affect data shared with either Microsoft or apps, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) and [Manage Windows 10 connection endpoints](manage-windows-endpoints.md). These articles describe how these settings can be managed by an IT Professional. -## At-a-glance: the relationship between an IT organization and the GDPR +### At-a-glance: the relationship between an IT organization and the GDPR Because Microsoft is a controller for data collected by Windows 10, the user can work with Microsoft to satisfy GDPR requirements. While this relationship between Microsoft and a user is evident in a consumer scenario, an IT organization can influence that relationship in an enterprise scenario. For example, the IT organization has the ability to centrally configure the Windows diagnostic data level by using Group Policy or MDM settings. +## Windows Server + +Windows Server follows the same mechanisms as Windows 10 for handling of personal data – for example, when collecting Windows diagnostic data. + +More detailed information about Windows Server and the GDPR is available at Beginning your General Data Protection Regulation (GDPR) journey for Windows Server. + +### Windows diagnostic data and Windows Server + +The lowest diagnostic data setting level supported on Windows Server 2016 and Windows Server 2019 through management policies is “Security”. The lowest diagnostic data setting supported through the Settings UI is “Basic”. The default diagnostic data level for all Windows Server 2016 and Windows Server 2019 editions is “Enhanced”. + +IT administrators can configure the Windows Server diagnostic data settings using familiar management tools, such as Group Policy, MDM, or Windows Provisioning. IT administrators can also manually change settings using Registry Editor. Setting the Windows Server diagnostic data levels through a management policy overrides any device-level settings. + +### Backups and Windows Server + +Backups, including live backups and backups that are stored locally within an organization or in the cloud, can contain personal data. + +- Backups an organizations creates, for example by using Windows Server Backup (WSB), are under its control. For example, for exporting personal data contained in a backup, the organization needs to restore the appropriate backup sets to facilitate the respective data subject request (DSR). +- The GDPR also applies when storing backups in the cloud. For example, an organization can use Microsoft Azure Backup to backup files and folders from physical or virtual Windows Server machines (located on-premises or in Azure) to the cloud. The organization that is subscribed to this backup service also has the obligation to restore the data in order to exercise the respective DSR. + +## Windows 10 Team Edition, Version 1703 for Surface Hub + +Surface Hub is a shared device used within an organization. The device identifier collected as part of diagnostic data is not connected to a user. For removing Windows diagnostic data sent to Microsoft for a Surface Hub, Microsoft created the Surface Hub Delete Diagnostic Data tool available in the Microsoft Store. + +>[!NOTE] +>Additional apps running on the device, that are not delivered as part of the in-box experience of Surface Hub, may implement their own diagnostic data collection and transmission functionality independently to collect and process personal data. Please contact the app publisher for further guidance on how to control this. + +An IT administrator can configure privacy- related settings, such as setting the Windows diagnostic data level to Basic. Surface Hub does not support group policy for centralized management; however, IT administrators can use MDM to apply these settings to Surface Hub. For more information about Surface Hub and MDM, please see [Manage settings with an MDM provider](https://docs.microsoft.com/surface-hub/manage-settings-with-mdm-for-surface-hub). + ## Further reading ### Optional settings / features that further improve the protection of personal data @@ -215,11 +264,11 @@ Personal data protection is one of the goals of the GDPR. One way of improving p ### Windows Security Baselines -Microsoft has created Windows Security Baselines to efficiently configure Windows 10. For more information, please visit [Windows Security Baselines](/windows/security/threat-protection/windows-security-baselines). +Microsoft has created Windows Security Baselines to efficiently configure Windows 10 and Windows Server. For more information, please visit [Windows Security Baselines](/windows/security/threat-protection/windows-security-baselines). ### Windows Restricted Traffic Limited Functionality Baseline -To make it easier to deploy settings that restrict connections from Windows 10 to Microsoft, IT Professionals can apply the Windows Restricted Traffic Limited Functionality Baseline, available [here](https://go.microsoft.com/fwlink/?linkid=828887). +To make it easier to deploy settings that restrict connections from Windows 10 and Windows Server to Microsoft, IT Professionals can apply the Windows Restricted Traffic Limited Functionality Baseline, available [here](https://go.microsoft.com/fwlink/?linkid=828887). >[!IMPORTANT] >Some of the settings of the Windows Restricted Traffic Limited Functionality Baseline will reduce the functionality and security configuration of a device in the organization and are therefore not recommended. diff --git a/windows/privacy/gdpr-win10-whitepaper.md b/windows/privacy/gdpr-win10-whitepaper.md index 5a54e998e6..a8a0214f4a 100644 --- a/windows/privacy/gdpr-win10-whitepaper.md +++ b/windows/privacy/gdpr-win10-whitepaper.md @@ -293,7 +293,7 @@ For example, employees can’t send protected work files from a personal email a #### Capabilities to classify, assign permissions and share data Windows Information Protection is designed to coexist with advanced data loss prevention (DLP) capabilities found in Office 365 ProPlus, Azure Information Protection, and Azure Rights Management. Advanced DLP prevents printing, for example, or protects work data that is emailed outside your company. -To continously protect your data, regardless of where it is stored, with whom it is shared, or if the device is running iOS, Android or Windows, the classification and protection needs to be built into the file itself, so this protection can travel with the data wherever it goes. Microsoft Azure Information Protection (AIP) is designed to provide this persistent data protection both on-premises and in the cloud. +To continuously protect your data, regardless of where it is stored, with whom it is shared, or if the device is running iOS, Android or Windows, the classification and protection needs to be built into the file itself, so this protection can travel with the data wherever it goes. Microsoft Azure Information Protection (AIP) is designed to provide this persistent data protection both on-premises and in the cloud. Data classification is an important part of any data governance plan. Adopting a classification scheme that applies throughout your business can be particularly helpful in responding to what the GDPR calls data subject (for example, your EU employee or customer) requests, because it enables enterprises to identify more readily and process personal data requests. @@ -332,4 +332,4 @@ This article does not provide you with any legal rights to any intellectual prop Published September 2017
    Version 1.0
    -© 2017 Microsoft. All rights reserved. \ No newline at end of file +© 2017 Microsoft. All rights reserved. diff --git a/windows/privacy/images/ddv-problem-reports-screen.png b/windows/privacy/images/control-panel-problem-reports-screen.png similarity index 100% rename from windows/privacy/images/ddv-problem-reports-screen.png rename to windows/privacy/images/control-panel-problem-reports-screen.png diff --git a/windows/privacy/images/ddv-problem-reports.png b/windows/privacy/images/ddv-problem-reports.png new file mode 100644 index 0000000000..49ae0fffc0 Binary files /dev/null and b/windows/privacy/images/ddv-problem-reports.png differ diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 865d98939f..3ac0a072a3 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -18,6 +18,7 @@ ms.date: 06/05/2018 - Windows 10 Enterprise, version 1607 and newer - Windows Server 2016 +- Windows Server 2019 If you're looking for content on what each diagnostic data level means and how to configure it in your organization, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). @@ -43,6 +44,12 @@ Note that **Get Help** and **Give us Feedback** links no longer work after the W We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com. +## What's new in Windows 10, version 1809 Enterprise edition + +Here's a list of changes that were made to this article for Windows 10, version 1809: + +- Added a policy to disable Windows Defender SmartScreen + ## What's new in Windows 10, version 1803 Enterprise edition Here's a list of changes that were made to this article for Windows 10, version 1803: @@ -99,19 +106,19 @@ The following table lists management options for each setting, beginning with Wi | Setting | UI | Group Policy | MDM policy | Registry | Command line | | - | :-: | :-: | :-: | :-: | :-: | -| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | | ![Check mark](images/checkmark.png) | | | | +| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | | [2. Cortana and Search](#bkmk-cortana) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -| [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -| [5. Find My Device](#find-my-device) | | ![Check mark](images/checkmark.png) | | | | -| [6. Font streaming](#font-streaming) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [5. Find My Device](#find-my-device) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [6. Font streaming](#font-streaming) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [7. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [8. Internet Explorer](#bkmk-ie) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | | [9. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | | [10. Mail synchronization](#bkmk-mailsync) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [11. Microsoft Account](#bkmk-microsoft-account) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [12. Microsoft Edge](#bkmk-edge) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [13. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [13. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [14. Offline maps](#bkmk-offlinemaps) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | | [15. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | | [16. Preinstalled apps](#bkmk-preinstalledapps) | ![Check mark](images/checkmark.png) | | | | ![Check mark](images/checkmark.png) | @@ -142,6 +149,7 @@ The following table lists management options for each setting, beginning with Wi | [21. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [22. Wi-Fi Sense](#bkmk-wifisense) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | | [23. Windows Defender](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [23.1 Windows Defender Smartscreen](#bkmk-defender-smartscreen) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [24. Windows Media Player](#bkmk-wmp) | ![Check mark](images/checkmark.png) | | | | ![Check mark](images/checkmark.png) | | [25. Windows Spotlight](#bkmk-spotlight) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [26. Microsoft Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | @@ -202,6 +210,63 @@ See the following table for a summary of the management settings for Windows Ser | [21. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | | [28. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | | +### Settings for Windows Server 2019 + +See the following table for a summary of the management settings for Windows Server 2019. + +| Setting | UI | Group Policy | MDM policy | Registry | Command line | +| - | :-: | :-: | :-: | :-: | :-: | +| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [2. Cortana and Search](#bkmk-cortana) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [5. Find My Device](#find-my-device) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [6. Font streaming](#font-streaming) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [7. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [8. Internet Explorer](#bkmk-ie) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [9. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [10. Mail synchronization](#bkmk-mailsync) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [11. Microsoft Account](#bkmk-microsoft-account) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [12. Microsoft Edge](#bkmk-edge) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [13. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [14. Offline maps](#bkmk-offlinemaps) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [15. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [16. Preinstalled apps](#bkmk-preinstalledapps) | ![Check mark](images/checkmark.png) | | | | ![Check mark](images/checkmark.png) | +| [17. Settings > Privacy](#bkmk-settingssection) | | | | | | +|     [17.1 General](#bkmk-general) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.2 Location](#bkmk-priv-location) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.3 Camera](#bkmk-priv-camera) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.4 Microphone](#bkmk-priv-microphone) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.5 Notifications](#bkmk-priv-notifications) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png)| ![Check mark](images/checkmark.png) | | +|     [17.6 Speech, inking, & typing](#bkmk-priv-speech) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.7 Account info](#bkmk-priv-accounts) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.8 Contacts](#bkmk-priv-contacts) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.9 Calendar](#bkmk-priv-calendar) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.10 Call history](#bkmk-priv-callhistory) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.11 Email](#bkmk-priv-email) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.12 Messaging](#bkmk-priv-messaging) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.13 Phone calls](#bkmk-priv-phone-calls) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.14 Radios](#bkmk-priv-radios) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.15 Other devices](#bkmk-priv-other-devices) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.16 Feedback & diagnostics](#bkmk-priv-feedback) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.17 Background apps](#bkmk-priv-background) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | +|     [17.18 Motion](#bkmk-priv-motion) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.19 Tasks](#bkmk-priv-tasks) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.20 App Diagnostics](#bkmk-priv-diag) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [18. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [19. Storage Health](#bkmk-storage-health) | | ![Check mark](images/checkmark.png) | | | | +| [20. Sync your settings](#bkmk-syncsettings) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [21. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [22. Wi-Fi Sense](#bkmk-wifisense) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [23. Windows Defender](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [23.1 Windows Defender Smartscreen](#bkmk-defender-smartscreen) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [24. Windows Media Player](#bkmk-wmp) | ![Check mark](images/checkmark.png) | | | | ![Check mark](images/checkmark.png) | +| [25. Windows Spotlight](#bkmk-spotlight) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [26. Microsoft Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +|     [26.1 Apps for websites](#bkmk-apps-for-websites) | | ![Check mark](images/checkmark.png) | | | +| [27. Windows Update Delivery Optimization](#bkmk-updates) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [28. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | + ## How to configure each setting Use the following sections for more information about how to configure each setting. @@ -336,9 +401,17 @@ After that, configure the following: ### 4. Device metadata retrieval -To prevent Windows from retrieving device metadata from the Internet, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Device Installation** > **Prevent device metadata retrieval from the Internet**. +To prevent Windows from retrieving device metadata from the Internet: -You can also create a new REG\_DWORD registry setting named **PreventDeviceMetadataFromNetwork** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Device Metadata** and set it to 1 (one). +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Device Installation** > **Prevent device metadata retrieval from the Internet**. + + -or - + +- Create a new REG\_DWORD registry setting named **PreventDeviceMetadataFromNetwork** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Device Metadata** and set it to 1 (one). + + -or - + +- Apply the DeviceInstallation/PreventDeviceMetadataFromNetwork MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventdevicemetadatafromnetwork). ### 5. Find My Device @@ -608,7 +681,7 @@ You can turn off NCSI by doing one of the following: - Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off Windows Network Connectivity Status Indicator active tests** -- In Windows 10, version 1703 and later, apply the Connectivity/DisallowNetworkConnectivityActiveTests MDM policy. +- In Windows 10, version 1703 and later, apply the Connectivity/DisallowNetworkConnectivityActiveTests MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-connectivity#connectivity-disallownetworkconnectivityactivetests) with a value of 1. > [!NOTE] > After you apply this policy, you must restart the device for the policy setting to take effect. @@ -879,31 +952,13 @@ To turn off **Turn on SmartScreen Filter to check web content (URLs) that Micros -or- -- In Windows Server 2016, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge** > **Configure SmartScreen Filter**. - In Windows 10, version 1703, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge** > **Configure Windows Defender SmartScreen Filter**. - - In Windows Server 2016, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **File Explorer** > **Configure Windows SmartScreen**. - In Windows 10, version 1703 , apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **File Explorer** > **Configure Windows Defender SmartScreen**. - - -or- - -- Apply the Browser/AllowSmartScreen MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is turned off and 1 is turned on. - - -or- - - Create a provisioning package, using: - - - For Internet Explorer: **Runtime settings** > **Policies** > **Browser** > **AllowSmartScreen** - - - For Microsoft Edge: **Runtime settings** > **Policies** > **MicrosoftEdge** > **AllowSmartScreen** + - For Internet Explorer: **Runtime settings > Policies > Browser > AllowSmartScreen** + - For Microsoft Edge: **Runtime settings > Policies > MicrosoftEdge > AllowSmartScreen** -or- -- Create a REG\_DWORD registry setting named **EnableWebContentEvaluation** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppHost** with a value of 0 (zero). - - -or- - -- Create a REG\_DWORD registry setting named **EnableSmartScreen** in **HKEY\_LOCAL\_MACHINE\\Sofware\\Policies\\Microsoft\\Windows\\System** with a value of 0 (zero). +- Create a REG_DWORD registry setting named **EnableWebContentEvaluation** in **HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost** with a value of 0 (zero). To turn off **Send Microsoft info about how I write to help us improve typing and writing in the future**: @@ -1793,6 +1848,36 @@ For Windows 10 only, you can stop Enhanced Notifications: You can also use the registry to turn off Malicious Software Reporting Tool diagnostic data by setting the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\MRT\\DontReportInfectionInformation** to 1. +### 23.1 Windows Defender SmartScreen + +To disable Windows Defender Smartscreen: + +- In Group Policy, configure - **Computer Configuration > Administrative Templates > Windows Components > Windows Defender SmartScreen > Explorer > Configure Windows Defender SmartScreen** : **Disable** + + -or- + +- **Computer Configuration > Administrative Templates > Windows Components > File Explorer > Configure Windows Defender SmartScreen** : **Disable** + + -and- + +- **Computer Configuration > Administrative Templates > Windows Components > Windows Defender SmartScreen > Explorer > Configure app install control** : **Enable** + + -or- + +- Create a REG_DWORD registry setting named **EnableSmartScreen** in **HKEY_LOCAL_MACHINE\Sofware\Policies\Microsoft\Windows\System** with a value of 0 (zero). + + -and- + +- Create a REG_DWORD registry setting named **ConfigureAppInstallControlEnabled** in **HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen** with a value of 1. + + -and- + +- Create a SZ registry setting named **ConfigureAppInstallControl** in **HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen** with a value of **Anywhere**. + + -or- + +- Apply the Browser/AllowSmartScreen MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is turned off and 1 is turned on. + ### 24. Windows Media Player To remove Windows Media Player on Windows 10: diff --git a/windows/privacy/manage-windows-1709-endpoints.md b/windows/privacy/manage-windows-1709-endpoints.md new file mode 100644 index 0000000000..db62a206fb --- /dev/null +++ b/windows/privacy/manage-windows-1709-endpoints.md @@ -0,0 +1,488 @@ +--- +title: Connection endpoints for Windows 10, version 1709 +description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. +keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016 +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.localizationpriority: high +author: danihalfin +ms.author: daniha +ms.date: 6/26/2018 +--- +# Manage connection endpoints for Windows 10, version 1709 + +**Applies to** + +- Windows 10, version 1709 + +Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include: + +- Connecting to Microsoft Office and Windows sites to download the latest app and security updates. +- Connecting to email servers to send and receive email. +- Connecting to the web for every day web browsing. +- Connecting to the cloud to store and access backups. +- Using your location to show a weather forecast. + +This article lists different endpoints that are available on a clean installation of Windows 10, version 1709 and later. +Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). +Where applicable, each endpoint covered in this topic includes a link to specific details about how to control traffic to it. + +We used the following methodology to derive these network endpoints: + +1. Set up the latest version of Windows 10 on a test virtual machine using the default settings. +2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device). +3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. +4. Compile reports on traffic going to public IP addresses. +5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. + +> [!NOTE] +> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. + +## Windows 10 Enterprise connection endpoints + +## Apps + +The following endpoint is used to download updates to the Weather app Live Tile. +If you [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), no Live Tiles will be updated. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| explorer | HTTP | tile-service.weather.microsoft.com | + +The following endpoint is used for OneNote Live Tile. +To turn off traffic for this endpoint, either uninstall OneNote or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. +Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | cdn.onenote.net/livetile/?Language=en-US | + +The following endpoints are used for Twitter updates. +To turn off traffic for these endpoints, either uninstall Twitter or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. +Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | wildcard.twimg.com | +| svchost.exe | | oem.twimg.com/windows/tile.xml | + +The following endpoint is used for Facebook updates. +To turn off traffic for this endpoint, either uninstall Facebook or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. +Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | star-mini.c10r.facebook.com | + +The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office Online. +To turn off traffic for this endpoint, either uninstall the Photos app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. +Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| WindowsApps\Microsoft.Windows.Photos | HTTPS | evoke-windowsservices-tas.msedge.net | + +The following endpoint is used for Candy Crush Saga updates. +To turn off traffic for this endpoint, either uninstall Candy Crush Saga or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. +Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | TLS v1.2 | candycrushsoda.king.com | + +The following endpoint is used for by the Microsoft Wallet app. +To turn off traffic for this endpoint, either uninstall the Wallet app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. +Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| system32\AppHostRegistrationVerifier.exe | HTTPS | wallet.microsoft.com | + +The following endpoint is used by the Groove Music app for update HTTP handler status. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-apps-for-websites), apps for websites won't work and customers who visit websites (such as mediaredirect.microsoft.com) that are registered with their associated app (such as Groove Music) will stay at the website and won't be able to directly launch the app. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| system32\AppHostRegistrationVerifier.exe | HTTPS | mediaredirect.microsoft.com | + +## Cortana and Search + +The following endpoint is used to get images that are used for Microsoft Store suggestions. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block images that are used for Microsoft Store suggestions. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| searchui | HTTPS |store-images.s-microsoft.com | + +The following endpoint is used to update Cortana greetings, tips, and Live Tiles. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block updates to Cortana greetings, tips, and Live Tiles. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| backgroundtaskhost | HTTPS | www.bing.com/client | + +The following endpoint is used to configure parameters, such as how often the Live Tile is updated. It's also used to activate experiments. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), parameters would not be updated and the device would no longer participate in experiments. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| backgroundtaskhost | HTTPS | www.bing.com/proactive | + +The following endpoint is used by Cortana to report diagnostic and diagnostic data information. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), Microsoft won't be aware of issues with Cortana and won't be able to fix them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| searchui
    backgroundtaskhost | HTTPS | www.bing.com/threshold/xls.aspx | + +## Certificates + +The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update), but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. + +Additionally, it is used to download certificates that are publicly known to be fraudulent. +These settings are critical for both Windows security and the overall security of the Internet. +We do not recommend blocking this endpoint. +If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTP | ctldl.windowsupdate.com | + +## Device authentication + +The following endpoint is used to authenticate a device. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), the device will not be authenticated. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | login.live.com/ppsecure | + +## Device metadata + +The following endpoint is used to retrieve device metadata. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-devinst), metadata will not be updated for the device. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | dmd.metaservices.microsoft.com.akadns.net | + +## Diagnostic Data + +The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | | cy2.vortex.data.microsoft.com.akadns.net | + +The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | | v10.vortex-win.data.microsoft.com/collect/v1 | + +The following endpoints are used by Windows Error Reporting. +To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| wermgr | | watson.telemetry.microsoft.com | +| | TLS v1.2 | modern.watson.data.microsoft.com.akadns.net | + +## Font streaming + +The following endpoints are used to download fonts on demand. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#font-streaming), you will not be able to download fonts on demand. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | | fs.microsoft.com | +| | | fs.microsoft.com/fs/windows/config.json | + +## Licensing + +The following endpoint is used for online activation and some app licensing. +To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| licensemanager | HTTPS | licensing.mp.microsoft.com/v7.0/licenses/content | + +## Location + +The following endpoint is used for location data. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location), apps cannot use location data. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | location-inference-westus.cloudapp.net | + +## Maps + +The following endpoint is used to check for updates to maps that have been downloaded for offline use. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps), offline maps will not be updated. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | *g.akamaiedge.net | + +## Microsoft account + +The following endpoints are used for Microsoft accounts to sign in. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account), users cannot sign in with Microsoft accounts. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | login.msa.akadns6.net | +| system32\Auth.Host.exe | HTTPS | auth.gfx.ms | + +## Microsoft Store + +The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | *.wns.windows.com | + +The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store. +To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | storecatalogrevocation.storequality.microsoft.com | + +The following endpoints are used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | img-prod-cms-rt-microsoft-com.akamaized.net | + +The following endpoints are used to communicate with Microsoft Store. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | storeedgefd.dsx.mp.microsoft.com | +| | HTTP | pti.store.microsoft.com | +||TLS v1.2|cy2.\*.md.mp.microsoft.com.\*.| + +## Network Connection Status Indicator (NCSI) + +Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi), NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | www.msftconnecttest.com/connecttest.txt | + +## Office + +The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office Online. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity). +You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. +If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | *.a-msedge.net | +| hxstr | | *.c-msedge.net | +| | | *.e-msedge.net | +| | | *.s-msedge.net | + +The following endpoint is used to connect to the Office 365 portal's shared infrastructure, including Office Online. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity). +You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. +If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| system32\Auth.Host.exe | HTTPS | outlook.office365.com | + +The following endpoint is OfficeHub traffic used to get the metadata of Office apps. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +|Windows Apps\Microsoft.Windows.Photos|HTTPS|client-office365-tas.msedge.net| + +## OneDrive + +The following endpoint is a redirection service that’s used to automatically update URLs. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive), anything that relies on g.live.com to get updated URL information will no longer work. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| onedrive | HTTP \ HTTPS | g.live.com/1rewlive5skydrive/ODSUProduction | + +The following endpoint is used by OneDrive for Business to download and verify app updates. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US). +To turn off traffic for this endpoint, uninstall OneDrive for Business. In this case, your device will not able to get OneDrive for Business app updates. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| onedrive | HTTPS | oneclient.sfx.ms | + +## Settings + +The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| dmclient | | cy2.settings.data.microsoft.com.akadns.net | + +The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| dmclient | HTTPS | settings.data.microsoft.com | + +The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as Windows Connected User Experiences and Telemetry component and Windows Insider Program use it. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | settings-win.data.microsoft.com | + +## Skype + +The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +|microsoft.windowscommunicationsapps.exe | HTTPS | config.edge.skype.com | + + + +## Windows Defender + +The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), the device will not use Cloud-based Protection. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | wdcp.microsoft.com | + +The following endpoints are used for Windows Defender definition updates. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), definitions will not be updated. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | definitionupdates.microsoft.com | +|MpCmdRun.exe|HTTPS|go.microsoft.com | + +## Windows Spotlight + +The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight), Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see [Windows Spotlight](/windows/configuration/windows-spotlight). + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| backgroundtaskhost | HTTPS | arc.msn.com | +| backgroundtaskhost | | g.msn.com.nsatc.net | +| |TLS v1.2| *.search.msn.com | +| | HTTPS | ris.api.iris.microsoft.com | +| | HTTPS | query.prod.cms.rt.microsoft.com | + +## Windows Update + +The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates), Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | *.prod.do.dsp.mp.microsoft.com | + +The following endpoints are used to download operating system patches and updates. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to download updates for the operating system. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTP | *.windowsupdate.com | +| | HTTP | fg.download.windowsupdate.com.c.footprint.net | + +The following endpoint is used by the Highwinds Content Delivery Network to perform Windows updates. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not perform updates. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | cds.d2s7q6s2.hwcdn.net | + +The following endpoints are used by the Verizon Content Delivery Network to perform Windows updates. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not perform updates. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | *wac.phicdn.net | +| | | *wac.edgecastcdn.net | + +The following endpoint is used to download apps and Windows Insider Preview builds from the Microsoft Store. Time Limited URL (TLU) is a mechanism for protecting the content. For example, it prevents someone from copying the URL and then getting access to the app that the person has not acquired). +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the updating functionality on this device is essentially in a disabled state, resulting in user unable to get apps from the Store, get latest version of Windows, and so on. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | | *.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | + +The following endpoint is used to download apps from the Microsoft Store. It's used as part of calculating the right ranges for apps. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), users of the device will not able to get apps from the Microsoft Store. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | | emdl.ws.microsoft.com | + +The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | fe2.update.microsoft.com | +| svchost | | fe3.delivery.mp.microsoft.com | +| | | fe3.delivery.dsp.mp.microsoft.com.nsatc.net | +| svchost | HTTPS | sls.update.microsoft.com | + +The following endpoint is used for content regulation. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | tsfe.trafficshaping.dsp.mp.microsoft.com | + +The following endpoints are used to download content. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), you will block any content from being downloaded. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | a122.dscd.akamai.net | +| | | a1621.g.akamai.net | + +## Microsoft forward link redirection service (FWLink) + +The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. + +If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +|Various|HTTPS|go.microsoft.com| + +## Other Windows 10 versions and editions + +To view endpoints for other versions of Windows 10 enterprise, see: +- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md) +- [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md) + +To view endpoints for non-Enterprise Windows 10 editions, see: +- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md) +- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md) + +## Related links + +- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US) +- [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/intune/get-started/network-infrastructure-requirements-for-microsoft-intune) \ No newline at end of file diff --git a/windows/privacy/manage-windows-endpoints.md b/windows/privacy/manage-windows-1803-endpoints.md similarity index 68% rename from windows/privacy/manage-windows-endpoints.md rename to windows/privacy/manage-windows-1803-endpoints.md index 721814aabe..56cece92c2 100644 --- a/windows/privacy/manage-windows-endpoints.md +++ b/windows/privacy/manage-windows-1803-endpoints.md @@ -1,5 +1,5 @@ --- -title: Windows 10 connection endpoints +title: Connection endpoints for Windows 10, version 1803 description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016 ms.prod: w10 @@ -10,11 +10,11 @@ author: danihalfin ms.author: daniha ms.date: 6/26/2018 --- -# Manage Windows 10 connection endpoints +# Manage connection endpoints for Windows 10, version 1803 **Applies to** -- Windows 10, version 1709 and later +- Windows 10, version 1803 Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include: @@ -46,252 +46,252 @@ We used the following methodology to derive these network endpoints: The following endpoint is used to download updates to the Weather app Live Tile. If you [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), no Live Tiles will be updated. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| explorer | HTTP | tile-service.weather.microsoft.com | 1709 | -| | HTTP | blob.weather.microsoft.com | 1803 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| explorer | HTTP | tile-service.weather.microsoft.com | +| | HTTP | blob.weather.microsoft.com | The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | HTTPS | cdn.onenote.net/livetile/?Language=en-US | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | cdn.onenote.net/livetile/?Language=en-US | The following endpoints are used for Twitter updates. To turn off traffic for these endpoints, either uninstall Twitter or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | HTTPS | wildcard.twimg.com | 1709 | -| svchost.exe | | oem.twimg.com/windows/tile.xml | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | wildcard.twimg.com | +| svchost.exe | | oem.twimg.com/windows/tile.xml | The following endpoint is used for Facebook updates. To turn off traffic for this endpoint, either uninstall Facebook or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | | star-mini.c10r.facebook.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | star-mini.c10r.facebook.com | The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office Online. To turn off traffic for this endpoint, either uninstall the Photos app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| WindowsApps\Microsoft.Windows.Photos | HTTPS | evoke-windowsservices-tas.msedge.net | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| WindowsApps\Microsoft.Windows.Photos | HTTPS | evoke-windowsservices-tas.msedge.net | The following endpoint is used for Candy Crush Saga updates. To turn off traffic for this endpoint, either uninstall Candy Crush Saga or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | TLS v1.2 | candycrushsoda.king.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | TLS v1.2 | candycrushsoda.king.com | The following endpoint is used for by the Microsoft Wallet app. To turn off traffic for this endpoint, either uninstall the Wallet app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| system32\AppHostRegistrationVerifier.exe | HTTPS | wallet.microsoft.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| system32\AppHostRegistrationVerifier.exe | HTTPS | wallet.microsoft.com | The following endpoint is used by the Groove Music app for update HTTP handler status. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-apps-for-websites), apps for websites won't work and customers who visit websites (such as mediaredirect.microsoft.com) that are registered with their associated app (such as Groove Music) will stay at the website and won't be able to directly launch the app. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| system32\AppHostRegistrationVerifier.exe | HTTPS | mediaredirect.microsoft.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| system32\AppHostRegistrationVerifier.exe | HTTPS | mediaredirect.microsoft.com | ## Cortana and Search The following endpoint is used to get images that are used for Microsoft Store suggestions. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block images that are used for Microsoft Store suggestions. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| searchui | HTTPS |store-images.s-microsoft.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| searchui | HTTPS |store-images.s-microsoft.com | The following endpoint is used to update Cortana greetings, tips, and Live Tiles. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block updates to Cortana greetings, tips, and Live Tiles. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| backgroundtaskhost | HTTPS | www.bing.com/client | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| backgroundtaskhost | HTTPS | www.bing.com/client | The following endpoint is used to configure parameters, such as how often the Live Tile is updated. It's also used to activate experiments. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), parameters would not be updated and the device would no longer participate in experiments. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| backgroundtaskhost | HTTPS | www.bing.com/proactive | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| backgroundtaskhost | HTTPS | www.bing.com/proactive | The following endpoint is used by Cortana to report diagnostic and diagnostic data information. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), Microsoft won't be aware of issues with Cortana and won't be able to fix them. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| searchui
    backgroundtaskhost | HTTPS | www.bing.com/threshold/xls.aspx | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| searchui
    backgroundtaskhost | HTTPS | www.bing.com/threshold/xls.aspx | ## Certificates The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update), but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| svchost | HTTP | ctldl.windowsupdate.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTP | ctldl.windowsupdate.com | The following endpoints are used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| svchost | HTTP | ctldl.windowsupdate.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTP | ctldl.windowsupdate.com | ## Device authentication The following endpoint is used to authenticate a device. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), the device will not be authenticated. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | HTTPS | login.live.com/ppsecure | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | login.live.com/ppsecure | ## Device metadata The following endpoint is used to retrieve device metadata. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-devinst), metadata will not be updated for the device. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | | dmd.metaservices.microsoft.com.akadns.net | 1709 | -| | HTTP | dmd.metaservices.microsoft.com | 1803 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | dmd.metaservices.microsoft.com.akadns.net | +| | HTTP | dmd.metaservices.microsoft.com | ## Diagnostic Data The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| svchost | | cy2.vortex.data.microsoft.com.akadns.net | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | | cy2.vortex.data.microsoft.com.akadns.net | The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| svchost | | v10.vortex-win.data.microsoft.com/collect/v1 | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | | v10.vortex-win.data.microsoft.com/collect/v1 | The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| wermgr | | watson.telemetry.microsoft.com | 1709 | -| | TLS v1.2 | modern.watson.data.microsoft.com.akadns.net | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| wermgr | | watson.telemetry.microsoft.com | +| | TLS v1.2 | modern.watson.data.microsoft.com.akadns.net | ## Font streaming The following endpoints are used to download fonts on demand. If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#font-streaming), you will not be able to download fonts on demand. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| svchost | | fs.microsoft.com | 1709 | -| | | fs.microsoft.com/fs/windows/config.json | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | | fs.microsoft.com | +| | | fs.microsoft.com/fs/windows/config.json | ## Licensing The following endpoint is used for online activation and some app licensing. To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| licensemanager | HTTPS | licensing.mp.microsoft.com/v7.0/licenses/content | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| licensemanager | HTTPS | licensing.mp.microsoft.com/v7.0/licenses/content | ## Location The following endpoint is used for location data. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location), apps cannot use location data. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | HTTP | location-inference-westus.cloudapp.net | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | location-inference-westus.cloudapp.net | ## Maps The following endpoint is used to check for updates to maps that have been downloaded for offline use. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps), offline maps will not be updated. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| svchost | HTTPS | *g.akamaiedge.net | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | *g.akamaiedge.net | ## Microsoft account The following endpoints are used for Microsoft accounts to sign in. If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account), users cannot sign in with Microsoft accounts. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | | login.msa.akadns6.net | 1709 | -| system32\Auth.Host.exe | HTTPS | auth.gfx.ms | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | login.msa.akadns6.net | +| system32\Auth.Host.exe | HTTPS | auth.gfx.ms | ## Microsoft Store The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | | *.wns.windows.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | *.wns.windows.com | The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | HTTP | storecatalogrevocation.storequality.microsoft.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | storecatalogrevocation.storequality.microsoft.com | The following endpoints are used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | HTTPS | img-prod-cms-rt-microsoft-com.akamaized.net | 1709 | -| backgroundtransferhost | HTTPS | store-images.microsoft.com | 1803 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | img-prod-cms-rt-microsoft-com.akamaized.net | +| backgroundtransferhost | HTTPS | store-images.microsoft.com | The following endpoints are used to communicate with Microsoft Store. If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | HTTP | storeedgefd.dsx.mp.microsoft.com | 1709 | -| | HTTP | pti.store.microsoft.com | 1709 | -||TLS v1.2|cy2.\*.md.mp.microsoft.com.\*.| 1709 | -| svchost | HTTPS | displaycatalog.mp.microsoft.com | 1803 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | storeedgefd.dsx.mp.microsoft.com | +| | HTTP | pti.store.microsoft.com | +||TLS v1.2|cy2.\*.md.mp.microsoft.com.\*.| +| svchost | HTTPS | displaycatalog.mp.microsoft.com | ## Network Connection Status Indicator (NCSI) Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi), NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | HTTP | www.msftconnecttest.com/connecttest.txt | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | www.msftconnecttest.com/connecttest.txt | ## Office @@ -299,74 +299,74 @@ The following endpoints are used to connect to the Office 365 portal's shared in You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | | *.a-msedge.net | 1709 | -| hxstr | | *.c-msedge.net | 1709 | -| | | *.e-msedge.net | 1709 | -| | | *.s-msedge.net | 1709 | -| | HTTPS | ocos-office365-s2s.msedge.net | 1803 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | *.a-msedge.net | +| hxstr | | *.c-msedge.net | +| | | *.e-msedge.net | +| | | *.s-msedge.net | +| | HTTPS | ocos-office365-s2s.msedge.net | The following endpoint is used to connect to the Office 365 portal's shared infrastructure, including Office Online. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity). You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| system32\Auth.Host.exe | HTTPS | outlook.office365.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| system32\Auth.Host.exe | HTTPS | outlook.office365.com | The following endpoint is OfficeHub traffic used to get the metadata of Office apps. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -|Windows Apps\Microsoft.Windows.Photos|HTTPS|client-office365-tas.msedge.net| 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +|Windows Apps\Microsoft.Windows.Photos|HTTPS|client-office365-tas.msedge.net| ## OneDrive The following endpoint is a redirection service that’s used to automatically update URLs. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive), anything that relies on g.live.com to get updated URL information will no longer work. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| onedrive | HTTP \ HTTPS | g.live.com/1rewlive5skydrive/ODSUProduction | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| onedrive | HTTP \ HTTPS | g.live.com/1rewlive5skydrive/ODSUProduction | The following endpoint is used by OneDrive for Business to download and verify app updates. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US). To turn off traffic for this endpoint, uninstall OneDrive for Business. In this case, your device will not able to get OneDrive for Business app updates. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| onedrive | HTTPS | oneclient.sfx.ms | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| onedrive | HTTPS | oneclient.sfx.ms | ## Settings The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| dmclient | | cy2.settings.data.microsoft.com.akadns.net | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| dmclient | | cy2.settings.data.microsoft.com.akadns.net | The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| dmclient | HTTPS | settings.data.microsoft.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| dmclient | HTTPS | settings.data.microsoft.com | The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as Windows Connected User Experiences and Telemetry component and Windows Insider Program use it. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| svchost | HTTPS | settings-win.data.microsoft.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | settings-win.data.microsoft.com | ## Skype The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -|microsoft.windowscommunicationsapps.exe | HTTPS | config.edge.skype.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +|microsoft.windowscommunicationsapps.exe | HTTPS | config.edge.skype.com | @@ -375,102 +375,102 @@ The following endpoint is used to retrieve Skype configuration values. To turn o The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), the device will not use Cloud-based Protection. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | | wdcp.microsoft.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | wdcp.microsoft.com | The following endpoints are used for Windows Defender definition updates. If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), definitions will not be updated. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | | definitionupdates.microsoft.com | 1709 | -|MpCmdRun.exe|HTTPS|go.microsoft.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | definitionupdates.microsoft.com | +|MpCmdRun.exe|HTTPS|go.microsoft.com | ## Windows Spotlight The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight), Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see [Windows Spotlight](/windows/configuration/windows-spotlight). -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| backgroundtaskhost | HTTPS | arc.msn.com | 1709 | -| backgroundtaskhost | | g.msn.com.nsatc.net | 1709 | -| |TLS v1.2| *.search.msn.com | 1709 | -| | HTTPS | ris.api.iris.microsoft.com | 1709 | -| | HTTPS | query.prod.cms.rt.microsoft.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| backgroundtaskhost | HTTPS | arc.msn.com | +| backgroundtaskhost | | g.msn.com.nsatc.net | +| |TLS v1.2| *.search.msn.com | +| | HTTPS | ris.api.iris.microsoft.com | +| | HTTPS | query.prod.cms.rt.microsoft.com | ## Windows Update The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates), Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| svchost | HTTPS | *.prod.do.dsp.mp.microsoft.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | *.prod.do.dsp.mp.microsoft.com | The following endpoints are used to download operating system patches and updates. If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to download updates for the operating system. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| svchost | HTTP | *.windowsupdate.com | 1709 | -| | HTTP | fg.download.windowsupdate.com.c.footprint.net | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTP | *.windowsupdate.com | +| | HTTP | fg.download.windowsupdate.com.c.footprint.net | The following endpoint is used by the Highwinds Content Delivery Network to perform Windows updates. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not perform updates. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | | cds.d2s7q6s2.hwcdn.net | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | cds.d2s7q6s2.hwcdn.net | The following endpoints are used by the Verizon Content Delivery Network to perform Windows updates. If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not perform updates. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | HTTP | *wac.phicdn.net | 1709 | -| | | *wac.edgecastcdn.net | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | *wac.phicdn.net | +| | | *wac.edgecastcdn.net | The following endpoint is used to download apps and Windows Insider Preview builds from the Microsoft Store. Time Limited URL (TLU) is a mechanism for protecting the content. For example, it prevents someone from copying the URL and then getting access to the app that the person has not acquired). If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the updating functionality on this device is essentially in a disabled state, resulting in user unable to get apps from the Store, get latest version of Windows, and so on. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| svchost | | *.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | | *.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | The following endpoint is used to download apps from the Microsoft Store. It's used as part of calculating the right ranges for apps. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), users of the device will not able to get apps from the Microsoft Store. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| svchost | | emdl.ws.microsoft.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | | emdl.ws.microsoft.com | The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| svchost | HTTPS | fe2.update.microsoft.com | 1709 | -| svchost | | fe3.delivery.mp.microsoft.com | 1709 | -| | | fe3.delivery.dsp.mp.microsoft.com.nsatc.net | 1709 | -| svchost | HTTPS | sls.update.microsoft.com | 1709 | -| | HTTP | *.dl.delivery.mp.microsoft.com | 1803 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | fe2.update.microsoft.com | +| svchost | | fe3.delivery.mp.microsoft.com | +| | | fe3.delivery.dsp.mp.microsoft.com.nsatc.net | +| svchost | HTTPS | sls.update.microsoft.com | +| | HTTP | *.dl.delivery.mp.microsoft.com | The following endpoint is used for content regulation. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| svchost | HTTPS | tsfe.trafficshaping.dsp.mp.microsoft.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | tsfe.trafficshaping.dsp.mp.microsoft.com | The following endpoints are used to download content. If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), you will block any content from being downloaded. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | | a122.dscd.akamai.net | 1709 | -| | | a1621.g.akamai.net | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | a122.dscd.akamai.net | +| | | a1621.g.akamai.net | ## Microsoft forward link redirection service (FWLink) @@ -478,12 +478,16 @@ The following endpoint is used by the Microsoft forward link redirection service If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -|Various|HTTPS|go.microsoft.com| 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +|Various|HTTPS|go.microsoft.com| ## Other Windows 10 editions +To view endpoints for other versions of Windows 10 enterprise, see: +- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md) +- [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md) + To view endpoints for non-Enterprise Windows 10 editions, see: - [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md) - [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md) diff --git a/windows/privacy/manage-windows-1809-endpoints.md b/windows/privacy/manage-windows-1809-endpoints.md new file mode 100644 index 0000000000..f1805362f1 --- /dev/null +++ b/windows/privacy/manage-windows-1809-endpoints.md @@ -0,0 +1,528 @@ +--- +title: Connection endpoints for Windows 10, version 1803 +description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. +keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016 +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.localizationpriority: high +author: danihalfin +ms.author: daniha +ms.date: 6/26/2018 +--- +# Manage connection endpoints for Windows 10, version 1809 + +**Applies to** + +- Windows 10, version 1809 + +Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include: + +- Connecting to Microsoft Office and Windows sites to download the latest app and security updates. +- Connecting to email servers to send and receive email. +- Connecting to the web for every day web browsing. +- Connecting to the cloud to store and access backups. +- Using your location to show a weather forecast. + +This article lists different endpoints that are available on a clean installation of Windows 10, version 1709 and later. +Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). +Where applicable, each endpoint covered in this topic includes a link to specific details about how to control traffic to it. + +We used the following methodology to derive these network endpoints: + +1. Set up the latest version of Windows 10 on a test virtual machine using the default settings. +2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device). +3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. +4. Compile reports on traffic going to public IP addresses. +5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. + +> [!NOTE] +> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. + +## Windows 10 Enterprise connection endpoints + +## Apps + +The following endpoint is used to download updates to the Weather app Live Tile. +If you [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), no Live Tiles will be updated. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| explorer | HTTP | tile-service.weather.microsoft.com | +| | HTTP | blob.weather.microsoft.com | + +The following endpoint is used for OneNote Live Tile. +To turn off traffic for this endpoint, either uninstall OneNote or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. +Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | cdn.onenote.net/livetile/?Language=en-US | + +The following endpoints are used for Twitter updates. +To turn off traffic for these endpoints, either uninstall Twitter or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. +Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | wildcard.twimg.com | +| svchost.exe | | oem.twimg.com/windows/tile.xml | + +The following endpoint is used for Facebook updates. +To turn off traffic for this endpoint, either uninstall Facebook or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. +Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | star-mini.c10r.facebook.com | + +The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office Online. +To turn off traffic for this endpoint, either uninstall the Photos app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. +Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| WindowsApps\Microsoft.Windows.Photos | HTTPS | evoke-windowsservices-tas.msedge.net | + +The following endpoint is used for Candy Crush Saga updates. +To turn off traffic for this endpoint, either uninstall Candy Crush Saga or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. +Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | TLS v1.2 | candycrushsoda.king.com | + +The following endpoint is used for by the Microsoft Wallet app. +To turn off traffic for this endpoint, either uninstall the Wallet app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. +Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| system32\AppHostRegistrationVerifier.exe | HTTPS | wallet.microsoft.com | + +The following endpoint is used by the Groove Music app for update HTTP handler status. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-apps-for-websites), apps for websites won't work and customers who visit websites (such as mediaredirect.microsoft.com) that are registered with their associated app (such as Groove Music) will stay at the website and won't be able to directly launch the app. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| system32\AppHostRegistrationVerifier.exe | HTTPS | mediaredirect.microsoft.com | + +The following endpoints are used when using the Whiteboard app. +To turn off traffic for this endpoint [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | wbd.ms | +| | HTTPS | int.whiteboard.microsoft.com | +| | HTTPS | whiteboard.microsoft.com | +| | HTTP / HTTPS | whiteboard.ms | + +## Cortana and Search + +The following endpoint is used to get images that are used for Microsoft Store suggestions. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block images that are used for Microsoft Store suggestions. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| searchui | HTTPS |store-images.s-microsoft.com | + +The following endpoint is used to update Cortana greetings, tips, and Live Tiles. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block updates to Cortana greetings, tips, and Live Tiles. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| backgroundtaskhost | HTTPS | www.bing.com/client | + +The following endpoint is used to configure parameters, such as how often the Live Tile is updated. It's also used to activate experiments. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), parameters would not be updated and the device would no longer participate in experiments. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| backgroundtaskhost | HTTPS | www.bing.com/proactive | + +The following endpoint is used by Cortana to report diagnostic and diagnostic data information. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), Microsoft won't be aware of issues with Cortana and won't be able to fix them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| searchui
    backgroundtaskhost | HTTPS | www.bing.com/threshold/xls.aspx | + +## Certificates + +The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update), but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTP | ctldl.windowsupdate.com | + +The following endpoints are used to download certificates that are publicly known to be fraudulent. +These settings are critical for both Windows security and the overall security of the Internet. +We do not recommend blocking this endpoint. +If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTP | ctldl.windowsupdate.com | + +## Device authentication + +The following endpoint is used to authenticate a device. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), the device will not be authenticated. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | login.live.com/ppsecure | + +## Device metadata + +The following endpoint is used to retrieve device metadata. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-devinst), metadata will not be updated for the device. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | dmd.metaservices.microsoft.com.akadns.net | +| | HTTP | dmd.metaservices.microsoft.com | + +## Diagnostic Data + +The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | | cy2.vortex.data.microsoft.com.akadns.net | + +The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | v10.vortex-win.data.microsoft.com/collect/v1 | + +The following endpoints are used by Windows Error Reporting. +To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| wermgr | | watson.telemetry.microsoft.com | +| | TLS v1.2 | modern.watson.data.microsoft.com.akadns.net | + +## Font streaming + +The following endpoints are used to download fonts on demand. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#font-streaming), you will not be able to download fonts on demand. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | | fs.microsoft.com | +| | | fs.microsoft.com/fs/windows/config.json | + +## Licensing + +The following endpoint is used for online activation and some app licensing. +To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| licensemanager | HTTPS | licensing.mp.microsoft.com/v7.0/licenses/content | + +## Location + +The following endpoint is used for location data. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location), apps cannot use location data. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | location-inference-westus.cloudapp.net | +| | HTTPS | inference.location.live.net | + +## Maps + +The following endpoint is used to check for updates to maps that have been downloaded for offline use. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps), offline maps will not be updated. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | *g.akamaiedge.net | + +## Microsoft account + +The following endpoints are used for Microsoft accounts to sign in. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account), users cannot sign in with Microsoft accounts. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | login.msa.akadns6.net | +| system32\Auth.Host.exe | HTTPS | auth.gfx.ms | +| | | us.configsvc1.live.com.akadns.net | + +## Microsoft Store + +The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | *.wns.windows.com | + +The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store. +To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | storecatalogrevocation.storequality.microsoft.com | + +The following endpoints are used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | img-prod-cms-rt-microsoft-com.akamaized.net | +| backgroundtransferhost | HTTPS | store-images.microsoft.com | + +The following endpoints are used to communicate with Microsoft Store. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | storeedgefd.dsx.mp.microsoft.com | +| | HTTP \ HTTPS | pti.store.microsoft.com | +||TLS v1.2|cy2.\*.md.mp.microsoft.com.\*.| +| svchost | HTTPS | displaycatalog.mp.microsoft.com | + +## Network Connection Status Indicator (NCSI) + +Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi), NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | www.msftconnecttest.com/connecttest.txt | + +## Office + +The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office Online. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity). +You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. +If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | *.a-msedge.net | +| hxstr | | *.c-msedge.net | +| | | *.e-msedge.net | +| | | *.s-msedge.net | +| | HTTPS | ocos-office365-s2s.msedge.net | +| | HTTPS | nexusrules.officeapps.live.com | +| | HTTPS | officeclient.microsoft.com | + +The following endpoint is used to connect to the Office 365 portal's shared infrastructure, including Office Online. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity). +You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. +If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| system32\Auth.Host.exe | HTTPS | outlook.office365.com | + +The following endpoint is OfficeHub traffic used to get the metadata of Office apps. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +|Windows Apps\Microsoft.Windows.Photos|HTTPS|client-office365-tas.msedge.net| + +The following endpoint is used to connect the Office To-Do app to it's cloud service. +To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| |HTTPS|to-do.microsoft.com| + +## OneDrive + +The following endpoint is a redirection service that’s used to automatically update URLs. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive), anything that relies on g.live.com to get updated URL information will no longer work. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| onedrive | HTTP \ HTTPS | g.live.com/1rewlive5skydrive/ODSUProduction | + +The following endpoint is used by OneDrive for Business to download and verify app updates. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US). +To turn off traffic for this endpoint, uninstall OneDrive for Business. In this case, your device will not able to get OneDrive for Business app updates. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| onedrive | HTTPS | oneclient.sfx.ms | + +## Settings + +The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| dmclient | | cy2.settings.data.microsoft.com.akadns.net | + +The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| dmclient | HTTPS | settings.data.microsoft.com | + +The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as Windows Connected User Experiences and Telemetry component and Windows Insider Program use it. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | settings-win.data.microsoft.com | + +## Skype + +The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +|microsoft.windowscommunicationsapps.exe | HTTPS | config.edge.skype.com | +| | HTTPS | browser.pipe.aria.microsoft.com | +| | | skypeecs-prod-usw-0-b.cloudapp.net | + +## Windows Defender + +The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), the device will not use Cloud-based Protection. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | wdcp.microsoft.com | + +The following endpoints are used for Windows Defender definition updates. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), definitions will not be updated. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | definitionupdates.microsoft.com | +|MpCmdRun.exe|HTTPS|go.microsoft.com | + +The following endpoints are used for Windows Defender Smartscreen reporting and notifications. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender-smartscreen), Smartscreen notifications will no appear. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | ars.smartscreen.microsoft.com | +| | HTTPS | unitedstates.smartscreen-prod.microsoft.com | +| | | smartscreen-sn3p.smartscreen.microsoft.com | + +## Windows Spotlight + +The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight), Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see [Windows Spotlight](/windows/configuration/windows-spotlight). + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| backgroundtaskhost | HTTPS | arc.msn.com | +| backgroundtaskhost | | g.msn.com.nsatc.net | +| |TLS v1.2| *.search.msn.com | +| | HTTPS | ris.api.iris.microsoft.com | +| | HTTPS | query.prod.cms.rt.microsoft.com | + +## Windows Update + +The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates), Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | *.prod.do.dsp.mp.microsoft.com | + +The following endpoints are used to download operating system patches and updates. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to download updates for the operating system. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTP | *.windowsupdate.com | +| | HTTP | fg.download.windowsupdate.com.c.footprint.net | + +The following endpoint is used by the Highwinds Content Delivery Network to perform Windows updates. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not perform updates. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | cds.d2s7q6s2.hwcdn.net | + +The following endpoints are used by the Verizon Content Delivery Network to perform Windows updates. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not perform updates. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | *wac.phicdn.net | +| | | *wac.edgecastcdn.net | + +The following endpoint is used to download apps and Windows Insider Preview builds from the Microsoft Store. Time Limited URL (TLU) is a mechanism for protecting the content. For example, it prevents someone from copying the URL and then getting access to the app that the person has not acquired). +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the updating functionality on this device is essentially in a disabled state, resulting in user unable to get apps from the Store, get latest version of Windows, and so on. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | | *.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | + +The following endpoint is used to download apps from the Microsoft Store. It's used as part of calculating the right ranges for apps. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), users of the device will not able to get apps from the Microsoft Store. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | | emdl.ws.microsoft.com | + +The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | fe2.update.microsoft.com | +| svchost | | fe3.delivery.mp.microsoft.com | +| | | fe3.delivery.dsp.mp.microsoft.com.nsatc.net | +| svchost | HTTPS | sls.update.microsoft.com | +| | HTTP | *.dl.delivery.mp.microsoft.com | + +The following endpoint is used for content regulation. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | tsfe.trafficshaping.dsp.mp.microsoft.com | + +The following endpoints are used to download content. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), you will block any content from being downloaded. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | a122.dscd.akamai.net | +| | | a1621.g.akamai.net | + +## Microsoft forward link redirection service (FWLink) + +The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. + +If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +|Various|HTTPS|go.microsoft.com| + +## Other Windows 10 editions + +To view endpoints for other versions of Windows 10 enterprise, see: +- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md) +- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md) + +To view endpoints for non-Enterprise Windows 10 editions, see: +- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md) +- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md) + +## Related links + +- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US) +- [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/intune/get-started/network-infrastructure-requirements-for-microsoft-intune) \ No newline at end of file diff --git a/windows/privacy/windows-endpoints-1709-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1709-non-enterprise-editions.md index b0ee83d6a3..72a79162f0 100644 --- a/windows/privacy/windows-endpoints-1709-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-1709-non-enterprise-editions.md @@ -49,7 +49,6 @@ We used the following methodology to derive these network endpoints: | *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). | | *prod.do.dsp.mp.microsoft.com | TLSv1.2\/HTTPS | Used for Windows Update downloads of apps and OS updates. | | .g.akamaiedge.net | HTTP | Used to check for updates to maps that have been downloaded for offline use. | -| telecommand.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. | | 2.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. | | 2.tlu.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. | | arc.msn.com | HTTPS | Used to retrieve Windows Spotlight metadata. | @@ -108,7 +107,13 @@ We used the following methodology to derive these network endpoints: | v10.vortex-win.data.microsoft.com | HTTPS | Used to retrieve Windows Insider Preview builds. | | wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. | | wallet-frontend-prod-westus.cloudapp.net | TLSv1.2 | Used by the Microsoft Wallet app. | -| watson.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. | +| *.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. | +| ceuswatcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| ceuswatcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| eaus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| eaus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| weus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| weus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | | wdcp.microsoft.akadns.net | TLSv1.2 | Used for Windows Defender when Cloud-based Protection is enabled. | | wildcard.twimg.com | TLSv1.2 | Used for the Twitter Live Tile. | | www.bing.com | HTTP | Used for updates for Cortana, apps, and Live Tiles. | @@ -192,12 +197,17 @@ We used the following methodology to derive these network endpoints: | storeedgefd.dsx.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | | store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. | | store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. | -| telecommand.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. | +| *.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. | +| ceuswatcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| ceuswatcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| eaus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| eaus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| weus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| weus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | | tile-service.weather.microsoft.com | HTTP | Used to download updates to the Weather app Live Tile. | | tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. | | v10.vortex-win.data.microsoft.com | HTTPS | Used to retrieve Windows Insider Preview builds. | | wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. | -| watson.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. | | wdcp.microsoft.akadns.net | HTTPS | Used for Windows Defender when Cloud-based Protection is enabled. | | wildcard.twimg.com | TLSv1.2 | Used for the Twitter Live Tile. | | www.bing.com | TLSv1.2 | Used for updates for Cortana, apps, and Live Tiles. | @@ -265,9 +275,15 @@ We used the following methodology to derive these network endpoints: | sls.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. | | store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. | | tile-service.weather.microsoft.com | HTTP | Used to download updates to the Weather app Live Tile. | -| telecommand.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. | +| *.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. | +| ceuswatcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| ceuswatcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| eaus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| eaus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| weus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| weus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | | tsfe.trafficshaping.dsp.mp.microsoft.com | TLSv1.2 | Used for content regulation. | | wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. | -| watson.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. | + | wdcp.microsoft.akadns.net | TLSv1.2 | Used for Windows Defender when Cloud-based Protection is enabled. | | www.bing.com | HTTPS | Used for updates for Cortana, apps, and Live Tiles. | \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration.md index d2f8d995f9..a6b919a090 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration.md @@ -17,10 +17,10 @@ ms.date: 08/19/2018 Device Registration is a prerequisite to Windows Hello for Business provisioning. Device registration occurs regardless of a cloud, hybrid, or on-premises deployments. For cloud and hybrid deployments, devices register with Azure Active Directory. For on-premises deployments, devices registered with the enterprise device registration service hosted by Active Directory Federation Services (AD FS). -[Azure AD joined in Managed environments](#Azure-AD-joined-in-Managed-environments)
    -[Azure AD joined in Federated environments](#Azure-AD-joined-in-Federated-environments)
    -[Hybrid Azure AD joined in Managed environments](#HybridAzure-AD-joined-in-Managed-environments)
    -[Hybrid Azure AD joined in Federated environments](#Hybrid-Azure-AD-joined-in-Federated-environments)
    +[Azure AD joined in Managed environments](#azure-ad-joined-in-managed-environments)
    +[Azure AD joined in Federated environments](#azure-ad-joined-in-federated-environments)
    +[Hybrid Azure AD joined in Managed environments](#hybrid-azure-ad-joined-in-managed-environments)
    +[Hybrid Azure AD joined in Federated environments](#hybrid-azure-ad-joined-in-federated-environments)
    @@ -47,7 +47,7 @@ Device Registration is a prerequisite to Windows Hello for Business provisioning | :----: | :----------- | |A | The most common way Azure AD joined devices register with Azure is during the out-of-box-experience (OOBE) where it loads the Azure AD join web application in the Cloud Experience Host (CXH) application. The application sends a GET request to the Azure OpenID configuration endpoint to discover authorization endpoints. Azure returns the OpenID configuration, which includes the authorization endpoints, to application as JSON document.| |B | The application builds a sign-in request for the authorization end point and collects user credentials.| -|C | After the user provides their user name (in UPN format), the application sends a GET request to Azure to discover corresponding realm information for the user. This determines if the environment is managed or federated. Azure returns the information in a JSON object. The application determines the environment is managed (non-federated).
    The application redirects to the AuthURL value (on-premises STS sign-in page) in the returned JSON realm object. The application collects credentials through the STS web page.| +|C | After the user provides their user name (in UPN format), the application sends a GET request to Azure to discover corresponding realm information for the user. This determines if the environment is managed or federated. Azure returns the information in a JSON object. The application determines the environment is federated.
    The application redirects to the AuthURL value (on-premises STS sign-in page) in the returned JSON realm object. The application collects credentials through the STS web page.| |D | The application POST the credential to the on-premises STS, which may require additional factors of authentication. The on-premises STS authenticates the user and returns a token. The application POSTs the token to Azure Active Directory for authentication. Azure Active Directory validates the token and returns an ID token with claims.| |E | The application looks for MDM terms of use (the mdm_tou_url claim). If present, the application retrieves the terms of use from the claim's value, present the contents to the user, and waits for the user to accept the terms of use. This step is optional and skipped if the claim is not present or if the claim value is empty.| |F | The application sends a device registration discovery request to the Azure Device Registration Service (ADRS). Azure DRS returns a discovery data document, which returns tenant specific URIs to complete device registration.| @@ -77,8 +77,8 @@ Device Registration is a prerequisite to Windows Hello for Business provisioning | Phase | Description | | :----: | :----------- | | A | The user signs in to a domain joined Windows 10 computers using domain credentials. This can be user name and password or smart card authentication. The user sign-in triggers the Automatic Device Join task.| -|B | The task queries Active Directory using the LDAP protocol for the keywords attribute on service connection point stored in the configuration partition in Active Directory (CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com). The value returned in the keywords attribute determines if device registration is directed to Azure Device Registration Service (ADRS) or the enterprise device registration service hosted on-premises.| -|C | For the federated environments, the computer authenticates the enterprise device registration endpoint using Windows integrated authentication. The enterprise device registration service creates and returns a token that includes claims for the object GUID, computer SID, and domain joined state. The task submits the token and claims to Azure Active Directory where it is validated. Azure Active Directory returns an ID token to the running task. +|B | The task queries Active Directory using the LDAP protocol for the keywords attribute on service connection point stored in the configuration partition in Active Directory (CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com). The value returned in the keywords attribute determines directs device registration to Azure Device Registration Service (ADRS).| +|C | For the federated environments, the computer authenticates ADFS/STS using Windows integrated authentication. The enterprise device registration service creates and returns a token that includes claims for the object GUID, computer SID, and domain joined state. The task submits the token and claims to Azure Active Directory where it is validated. Azure Active Directory returns an ID token to the running task. |D | The application creates TPM bound (preferred) RSA 2048 bit key-pair known as the device key (dkpub/dkpriv). The application create a certificate request using dkpub and the public key and signs the certificate request with using dkpriv. Next, the application derives second key pair from the TPM's storage root key. This is the transport key (tkpub/tkpriv).| |E | To provide SSO for on-premises federated application, the task requests an enterprise PRT from the on-premises STS. Windows Server 2016 running the Active Directory Federation Services role validate the request and return it the running task.| |F | The task sends a device registration request to Azure DRS that includes the ID token, certificate request, tkpub, and attestation data. Azure DRS validates the ID token, creates a device ID, and creates a certificate based on the included certificate request. Azure DRS then writes a device object in Azure Active Directory and sends the device ID and the device certificate to the client. Device registration completes by receiving the device ID and the device certificate from Azure DRS. The device ID is saved for future reference (viewable from dsregcmd.exe /status), and the device certificate is installed in the Personal store of the computer. With device registration complete, the task exits.| diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md index cf8ef7b9a5..ab1a856a27 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md @@ -8,33 +8,33 @@ ms.pagetype: security author: mikestephens-MS ms.author: mstephen localizationpriority: high -ms.date: 08/19/2018 +ms.date: 10/08/2018 --- # Technology and Terms **Applies to:** - Windows 10 -- [Attestation Identity Keys](#Attestation-Identity-Keys) -- [Azure AD Joined](#Azure-AD-Joined) -- [Azure AD Registered](#Azure-AD-Registered) -- [Certificate Trust](#Certificate-Trust) -- [Cloud Deployment](#Cloud-Deployment) -- [Deployment Type](#Deployment-Type) -- [Endorsement Key](#Endorsement-Key) -- [Federated Environment](#Federated-Environment) -- [Hybrid Azure AD Joined](#Hybrid-Azure-AD-Joined) -- [Hybrid Deployment](#Hybrid-Deployment) -- [Join Type](#Join-Type) -- [Key Trust](#Key-Trust) -- [Managed Environment](#Managed-Environment) -- [On-premises Deployment](#Onpremises-Deployment) -- [Pass-through Authentication](#Passthrough-Authentication) -- [Password Hash Synchronization](#Password-Hash-Synchronization) -- [Primary Refresh Token](#Primary-Refresh-Token) -- [Storage Root Key](#Storage-Root-Key) -- [Trust Type](#Trust-Type) -- [Trusted Platform Module](#Trusted-Platform-Module) +- [Attestation Identity Keys](#attestation-identity-keys) +- [Azure AD Joined](#azure-ad-joined) +- [Azure AD Registered](#azure-ad-registered) +- [Certificate Trust](#certificate-trust) +- [Cloud Deployment](#cloud-deployment) +- [Deployment Type](#deployment-type) +- [Endorsement Key](#endorsement-key) +- [Federated Environment](#federated-environment) +- [Hybrid Azure AD Joined](#hybrid-azure-ad-joined) +- [Hybrid Deployment](#hybrid-deployment) +- [Join Type](#join-type) +- [Key Trust](#key-trust) +- [Managed Environment](#managed-environment) +- [On-premises Deployment](#on-premises-deployment) +- [Pass-through Authentication](#passthrough-authentication) +- [Password Hash Synchronization](#password-hash-synchronization) +- [Primary Refresh Token](#primary-refresh-token) +- [Storage Root Key](#storage-root-key) +- [Trust Type](#trust-type) +- [Trusted Platform Module](#trusted-platform-module)
    ## Attestation Identity Keys @@ -44,58 +44,57 @@ Because the endorsement certificate is unique for each device and does not chang > The AIK certificate must be provisioned in conjunction with a third-party service like the Microsoft Cloud CA service. After it is provisioned, the AIK private key can be used to report platform configuration. Windows 10 creates a signature over the platform log state (and a monotonic counter value) at each boot by using the AIK. > The AIK is an asymmetric (public/private) key pair that is used as a substitute for the EK as an identity for the TPM for privacy purposes. The private portion of an AIK is never revealed or used outside the TPM and can only be used inside the TPM for a limited set of operations. Furthermore, it can only be used for signing, and only for limited, TPM-defined operations. -Windows 10 creates AIKs protected by the TPM, if available, that are 2048-bit RSA signing keys. Microsoft hosts a cloud service called Microsoft Cloud CA to establish cryptographically that it is communicating with a real TPM and that the TPM possesses the presented AIK. After the Microsoft -Cloud CA service has established these facts, it will issue an AIK certificate to the Windows 10 device. +Windows 10 creates AIKs protected by the TPM, if available, that are 2048-bit RSA signing keys. Microsoft hosts a cloud service called Microsoft Cloud CA to establish cryptographically that it is communicating with a real TPM and that the TPM possesses the presented AIK. After the Microsoft Cloud CA service has established these facts, it will issue an AIK certificate to the Windows 10 device. Many existing devices that will upgrade to Windows 10 will not have a TPM, or the TPM will not contain an endorsement certificate. **To accommodate those devices, Windows 10 allows the issuance of AIK certificates without the presence of an endorsement certificate.** Such AIK certificates are not issued by Microsoft Cloud CA. Note that this is not as trustworthy as an endorsement certificate that is burned into the device during manufacturing, but it will provide compatibility for advanced scenarios like Windows Hello for Business without TPM. In the issued AIK certificate, a special OID is added to attest that endorsement certificate was used during the attestation process. This information can be leveraged by a relying party to decide whether to reject devices that are attested using AIK certificates without an endorsement certificate or accept them. Another scenario can be to not allow access to high-value assets from devices that are attested by an AIK certificate that is not backed by an endorsement certificate. ### Related topics -[Endorsement Key](#Endorsement-Key), [Storage Root Key](#Storage-Root-Key), [Trusted Platform Module](#Trusted-Platform-Module) +[Endorsement Key](#endorsement-key), [Storage Root Key](#storage-root-key), [Trusted Platform Module](#trusted-platform-module) ### More information - [Windows Client Certificate Enrollment Protocol: Glossary](https://msdn.microsoft.com/library/cc249746.aspx#gt_70efa425-6b46-462f-911d-d399404529ab) - [TPM Library Specification](https://trustedcomputinggroup.org/resource/tpm-library-specification/) -[Return to Top](#Technology-and-Terms) +[Return to Top](hello-how-it-works-technology.md) ## Azure AD Joined Azure AD Join is intended for organizations that desire to be cloud-first or cloud-only. There is no restriction on the size or type of organizations that can deploy Azure AD Join. Azure AD Join works well even in an hybrid environment and can enable access to on-premise applications and resources. ### Related topics -[Join Type](#Join-Type), [Hybrid Azure AD Joined](#Hybrid-Azure-AD-Joined) +[Join Type](#join-type), [Hybrid Azure AD Joined](#hybrid-azure-ad-joined) ### More information - [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction). -[Return to Top](#Technology-and-Terms) +[Return to Top](hello-how-it-works-technology.md) ## Azure AD Registered The goal of Azure AD registered devices is to provide you with support for the Bring Your Own Device (BYOD) scenario. In this scenario, a user can access your organization's Azure Active Directory controlled resources using a personal device. ### Related topics -[Azure AD Joined](#Azure-AD-Joined), [Hybrid Azure AD Joined](#Hybrid-Azure-AD-Joined), [Join Type](#Join-Type) +[Azure AD Joined](#azure-ad-joined), [Hybrid Azure AD Joined](#hybrid-azure-ad-joined), [Join Type](#join-type) ### More information - [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction) -[Return to Top](#Technology-and-Terms) +[Return to Top](hello-how-it-works-technology.md) ## Certificate Trust The certificate trust model uses a securely issued certificate based on the user's Windows Hello for Business identity to authenticate to on-premises Active Directory. The certificate trust model is supported in hybrid and on-premises deployments and is compatible with Windows Server 2008 R2 and later domain controllers. ### Related topics -[Deployment Type](#Deployment-Type), [Hybrid Azure AD Joined](#Hybrid-Azure-AD-Joined), [Hybrid Deployment](#Hybrid-Deployment), [Key Trust](#Key-Trust), [On-premises Deployment](#Onpremises-Deployment), [Trust Type](#Trust-Type) +[Deployment Type](#deployment-type), [Hybrid Azure AD Joined](#hybrid-azure-ad-joined), [Hybrid Deployment](#hybrid-deployment), [Key Trust](#key-trust), [On-premises Deployment](#on-premises-deployment), [Trust Type](#trust-type) ### More information - [Windows Hello for Business Planning Guide](hello-planning-guide.md) -[Return to Top](#Technology-and-Terms) +[Return to Top](hello-how-it-works-technology.md) ## Cloud Deployment The Windows Hello for Business Cloud deployment is exclusively for organizations using cloud-based identities and resources. Device management is accomplished using Intune or a modern management alternative. Cloud deployments use Azure AD joined or Azure AD registered device join types. ### Related topics -[Azure AD Joined](#Azure-AD-Joined), [Azure AD Registered](#Azure-AD-Registered), [Deployment Type](#Deployment-Type), [Join Type](#Join-Type) +[Azure AD Joined](#azure-ad-joined), [Azure AD Registered](#azure-ad-registered), [Deployment Type](#deployment-type), [Join Type](#join-type) -[Return to Top](#Technology-and-Terms) +[Return to Top](hello-how-it-works-technology.md) ## Deployment Type Windows Hello for Business has three deployment models to accommodate the needs of different organizations. The three deployment models include: - Cloud @@ -103,12 +102,12 @@ Windows Hello for Business has three deployment models to accommodate the needs - On-Premises ### Related topics -[Cloud Deployment](#Cloud-Deployment), [Hybrid Deployment](#Hybrid-Deployment), [On-premises Deployment](#Onpremises-Deployment) +[Cloud Deployment](#cloud-deployment), [Hybrid Deployment](#hybrid-deployment), [On-premises Deployment](#on-premises-deployment) ### More information - [Windows Hello for Business Planning Guide](hello-planning-guide.md) -[Return to Top](#Technology-and-Terms) +[Return to Top](hello-how-it-works-technology.md) ## Endorsement Key The TPM has an embedded unique cryptographic key called the endorsement key. The TPM endorsement key is a pair of asymmetric keys (RSA size 2048 bits). @@ -121,115 +120,120 @@ The endorsement key is often accompanied by one or two digital certificates: - One certificate is produced by the TPM manufacturer and is called the **endorsement certificate**. The endorsement certificate is used to prove the authenticity of the TPM (for example, that it's a real TPM manufactured by a specific chip maker) to local processes, applications, or cloud services. The endorsement certificate is created during manufacturing or the first time the TPM is initialized by communicating with an online service. - The other certificate is produced by the platform builder and is called the **platform certificate** to indicate that a specific TPM is integrated with a certain device. + For certain devices that use firmware-based TPM produced by Intel or Qualcomm, the endorsement certificate is created when the TPM is initialized during the OOBE of Windows 10. ### Related topics -[Attestation Identity Keys](#Attestation-Identity-Keys), [Storage Root Key](#Storage-Root-Key), [Trusted Platform Module](#Trusted-Platform-Module) +[Attestation Identity Keys](#attestation-identity-keys), [Storage Root Key](#storage-root-key), [Trusted Platform Module](#trusted-platform-module) ### More information - [Understand the TPM endorsement key](https://go.microsoft.com/fwlink/p/?LinkId=733952). - [TPM Library Specification](https://trustedcomputinggroup.org/resource/tpm-library-specification/) -[Return to Top](#Technology-and-Terms) +[Return to Top](hello-how-it-works-technology.md) ## Federated Environment Primarily for large enterprise organizations with more complex authentication requirements, on-premises directory objects are synchronized with Azure Active Directory and users accounts are managed on-premises. With AD FS, users have the same password on-premises and in the cloud and they do not have to sign in again to use Office 365 or other Azure-based applications. This federated authentication model can provide additional authentication requirements, such as smart card-based authentication or a third-party multi-factor authentication and is typically required when organizations have an authentication requirement not natively supported by Azure AD. ### Related topics -[Hybrid Deployment](#Hybrid-Deployment), [Managed Environment](#Managed-Environment), [Pass-through authentication](#Passthrough-authentication), [Password Hash Sync](#Password-Hash-Sync) +[Hybrid Deployment](#hybrid-deployment), [Managed Environment](#managed-environment), [Pass-through authentication](#pass-through-authentication), [Password Hash Sync](#password-hash-sync) ### More information - [Choosing the right authentication method for your Azure Active Directory hybrid identity solution](https://docs.microsoft.com/azure/security/azure-ad-choose-authn) -[Return to Top](#Technology-and-Terms) +[Return to Top](hello-how-it-works-technology.md) ## Hybrid Azure AD Joined For more than a decade, many organizations have used the domain join to their on-premises Active Directory to enable: - IT departments to manage work-owned devices from a central location. - Users to sign in to their devices with their Active Directory work or school accounts. Typically, organizations with an on-premises footprint rely on imaging methods to provision devices, and they often use System Center Configuration Manager (SCCM) or group policy (GP) to manage them. + If your environment has an on-premises AD footprint and you also want benefit from the capabilities provided by Azure Active Directory, you can implement hybrid Azure AD joined devices. These are devices that are both, joined to your on-premises Active Directory and your Azure Active Directory. ### Related topics -[Azure AD Joined](#Azure-AD-Joined), [Azure AD Registered](#Azure-AD-Registered), [Hybrid Deployment](#Hybrid-Deployment) +[Azure AD Joined](#azure-ad-joined), [Azure AD Registered](#azure-ad-registered), [Hybrid Deployment](#hybrid-deployment) ### More information - [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction) -[Return to Top](#Technology-and-Terms) +[Return to Top](hello-how-it-works-technology.md) ## Hybrid Deployment The Windows Hello for Business hybrid deployment is for organizations that have both on-premises and cloud resources that are accessed using a managed or federated identity that is synchronized with Azure Active Directory. Hybrid deployments support devices that are Azure AD registered, Azure AD joined, and hybrid Azure AD joined. The Hybrid deployment model supports two trust types for on-premises authentication, key trust and certificate trust. ### Related topics -[Azure AD Joined](#Azure-AD-Joined), [Azure AD Registered](#Azure-AD-Registered), [Hybrid Azure AD Joined](#Hybrid-Azure-AD-Joined), +[Azure AD Joined](#azure-ad-joined), [Azure AD Registered](#azure-ad-registered), [Hybrid Azure AD Joined](#hybrid-azure-ad-joined), ### More information - [Windows Hello for Business Planning Guide](hello-planning-guide.md) -[Return to Top](#Technology-and-Terms) +[Return to Top](hello-how-it-works-technology.md) ## Join type Join type is how devices are associated with Azure Active Directory. For a device to authenticate to Azure Active Directory it must be registered or joined. + Registering a device to Azure AD enables you to manage a device's identity. When a device is registered, Azure AD device registration provides the device with an identity that is used to authenticate the device when a user signs-in to Azure AD. You can use the identity to enable or disable a device. + When combined with a mobile device management(MDM) solution such as Microsoft Intune, the device attributes in Azure AD are updated with additional information about the device. This allows you to create conditional access rules that enforce access from devices to meet your standards for security and compliance. For more information on enrolling devices in Microsoft Intune, see Enroll devices for management in Intune . + Joining a device is an extension to registering a device. This means, it provides you with all the benefits of registering a device and in addition to this, it also changes the local state of a device. Changing the local state enables your users to sign-in to a device using an organizational work or school account instead of a personal account. ### Related topics -[Azure AD Joined](#Azure-AD-Joined), [Azure AD Registered](#Azure-AD-Registered), [Hybrid Azure AD Joined](#Hybrid-Azure-AD-Joined) +[Azure AD Joined](#azure-ad-joined), [Azure AD Registered](#azure-ad-registered), [Hybrid Azure AD Joined](#hybrid-azure-ad-joined) ### More information - [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction) -[Return to Top](#Technology-and-Terms) +[Return to Top](hello-how-it-works-technology.md) ## Key Trust The key trust model uses the user's Windows Hello for Business identity to authenticate to on-premises Active Directory. The certificate trust model is supported in hybrid and on-premises deployments and requires Windows Server 2016 domain controllers. ### Related topics -[Certificate Trust](#Certificate-Trust), [Deployment Type](#Deployment-Type), [Hybrid Azure AD Joined](#Hybrid-Azure-AD-Joined), [Hybrid Deployment](#Hybrid-Deployment), [On-premises Deployment](#Onpremises-Deployment), [Trust Type](#Trust-Type), [Trust Type](#Trust-Type) +[Certificate Trust](#certificate-trust), [Deployment Type](#deployment-type), [Hybrid Azure AD Joined](#hybrid-azure-ad-joined), [Hybrid Deployment](#hybrid-deployment), [On-premises Deployment](#on-premises-deployment), [Trust Type](#trust-type) ### More information - [Windows Hello for Business Planning Guide](hello-planning-guide.md) -[Return to Top](#Technology-and-Terms) +[Return to Top](hello-how-it-works-technology.md) ## Managed Environment Managed environments are for non-federated environments where Azure Active Directory manages the authentication using technologies such as Password Hash Synchronization and Pass-through Authentication rather than a federation service such as Active Directory Federation Services. ### Related topics -[Federated Environment](#Federated-Environment), [Pass-through authentication](#Passthrough-authentication), [Password Hash Synchronization](#Password-Hash-Synchronization) +[Federated Environment](#federated-environment), [Pass-through authentication](#pass-through-authentication), [Password Hash Synchronization](#password-hash-synchronization) [Return to Top](#Technology-and-Terms) ## On-premises Deployment The Windows Hello for Business on-premises deployment is for organizations that exclusively have on-premises resources that are accessed using Active Directory identities. On-premises deployments support domain joined devices. The on-premises deployment model supports two authentication trust types, key trust and certificate trust. ### Related topics -[Cloud Deployment](#Cloud-Deployment), [Deployment Type](#Deployment-Type), [Hybrid Deployment](#Hybrid-Deployment) +[Cloud Deployment](#cloud-deployment), [Deployment Type](#deployment-type), [Hybrid Deployment](#hybrid-deployment) ### More information - [Windows Hello for Business Planning Guide](hello-planning-guide.md) -[Return to Top](#Technology-and-Terms) +[Return to Top](hello-how-it-works-technology.md) ## Pass-through authentication Provides a simple password validation for Azure AD authentication services using a software agent running on one or more on-premises servers to validate the users directly with your on-premises Active Directory. With pass-through authentication (PTA), you synchronize on-premises Active Directory user account objects with Office 365 and manage your users on-premises. Allows your users to sign in to both on-premises and Office 365 resources and applications using their on-premises account and password. This configuration validates users' passwords directly against your on-premises Active Directory without sending password hashes to Office 365. Companies with a security requirement to immediately enforce on-premises user account states, password policies, and logon hours would use this authentication method. With seamless single sign-on, users are automatically signed in to Azure AD when they are on their corporate devices and connected to your corporate network. ### Related topics -[Federated Environment](#Federated-Environment), [Managed Environment](#Managed-Environment), [Password Hash Synchronization](#Password-Hash-Synchronization) +[Federated Environment](#federated-environment), [Managed Environment](#managed-environment), [Password Hash Synchronization](#password-hash-synchronization) ### More information - [Choosing the right authentication method for your Azure Active Directory hybrid identity solution](https://docs.microsoft.com/azure/security/azure-ad-choose-authn) -[Return to Top](#Technology-and-Terms) +[Return to Top](#hello-how-it-works-technology.md) ## Password Hash Sync The simplest way to enable authentication for on-premises directory objects in Azure AD. With password hash sync (PHS), you synchronize your on-premises Active Directory user account objects with Office 365 and manage your users on-premises. Hashes of user passwords are synchronized from your on-premises Active Directory to Azure AD so that the users have the same password on-premises and in the cloud. When passwords are changed or reset on-premises, the new password hashes are synchronized to Azure AD so that your users can always use the same password for cloud resources and on-premises resources. The passwords are never sent to Azure AD or stored in Azure AD in clear text. Some premium features of Azure AD, such as Identity Protection, require PHS regardless of which authentication method is selected. With seamless single sign-on, users are automatically signed in to Azure AD when they are on their corporate devices and connected to your corporate network. ### Related topics -[Federated Environment](#Federated-Environment), [Managed Environment](#Managed-Environment), [Pass-through authentication](#Passthrough-authentication) +[Federated Environment](#federated-environment), [Managed Environment](#managed-environment), [Pass-through authentication](#pass-through-authentication) ### More information - [Choosing the right authentication method for your Azure Active Directory hybrid identity solution](https://docs.microsoft.com/azure/security/azure-ad-choose-authn) -[Return to Top](#Technology-and-Terms) +[Return to Top](hello-how-it-works-technology.md) ## Primary Refresh Token SSO relies on special tokens obtained for each of the types of applications above. These are in turn used to obtain access tokens to specific applications. In the traditional Windows Integrated authentication case using Kerberos, this token is a Kerberos TGT (ticket-granting ticket). For Azure AD and AD FS applications we call this a Primary Refresh Token (PRT). This is a [JSON Web Token](http://openid.net/specs/draft-jones-json-web-token-07.html) containing claims about both the user and the device. -The PRT is initially obtained during Windows Logon (user sign-in/unlock) in a similar way the Kerberos TGT is obtained. This is true for both Azure AD joined and domain joined devices. In personal devices registered with Azure AD, the PRT is initially obtained upon Add Work or School Account (in a personal device the account to unlock the device is not the work account but a consumer account e.g. hotmail.com, live.com, outlook.com, etc.). +The PRT is initially obtained during Windows Logon (user sign-in/unlock) in a similar way the Kerberos TGT is obtained. This is true for both Azure AD joined and hybrid Azure AD joined devices. In personal devices registered with Azure AD, the PRT is initially obtained upon Add Work or School Account (in a personal device the account to unlock the device is not the work account but a consumer account e.g. hotmail.com, live.com, outlook.com, etc.). The PRT is needed for SSO. Without it, the user will be prompted for credentials when accessing applications every time. Please also note that the PRT contains information about the device. This means that if you have any [device-based conditional access](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access-policy-connected-applications) policy set on an application, without the PRT, access will be denied. @@ -238,22 +242,22 @@ The PRT is needed for SSO. Without it, the user will be prompted for credentials The storage root key (SRK) is also an asymmetric key pair (RSA with a minimum of 2048 bits length). The SRK has a major role and is used to protect TPM keys, so that these keys cannot be used without the TPM. The SRK key is created when the ownership of the TPM is taken. ### Related topics -[Attestation Identity Keys](#Attestation-Identity-Keys), [Endorsement Key](#Endorsement-Key), [Trusted Platform Module](#Trusted-Platform-Module) +[Attestation Identity Keys](#attestation-identity-keys), [Endorsement Key](#endorsement-key), [Trusted Platform Module](#trusted-platform-module) ### More information [TPM Library Specification](https://trustedcomputinggroup.org/resource/tpm-library-specification/) -[Return to Top](#Technology-and-Terms) +[Return to Top](hello-how-it-works-technology.md) ## Trust type The trust type determines how a user authenticates to the Active Directory to access on-premises resources. There are two trust types, key trust and certificate trust. The hybrid and on-premises deployment models support both trust types. The trust type does not affect authentication to Azure Active Directory. Windows Hello for Business authentication to Azure Active Directory always uses the key, not a certificate (excluding smart card authentication in a federated environment). ### Related topics -[Certificate Trust](#Certificate-Trust), [Hybrid Deployment](#Hybrid-Deployment), [Key Trust](#Key-Trust), [On-premises Deployment](#Onpremises-Deployment) +[Certificate Trust](#certificate-trust), [Hybrid Deployment](#hybrid-deployment), [Key Trust](#key-trust), [On-premises Deployment](#on-premises-deployment) ### More information - [Windows Hello for Business Planning Guide](hello-planning-guide.md) -[Return to Top](#Technology-and-Terms) +[Return to Top](hello-how-it-works-technology.md) ## Trusted Platform Module A Trusted Platform Module (TPM) is a hardware component that provides unique security features.
    @@ -289,12 +293,12 @@ In a simplified manner, the TPM is a passive component with limited resources. I ### Related topics -[Attestation Identity Keys](#Attestation-Identity-Keys), [Endorsement Key](#Endorsement-Key), [Storage Root Key](#Storage-Root-Key) +[Attestation Identity Keys](#attestation-identity-keys), [Endorsement Key](#endorsement-key), [Storage Root Key](#storage-root-key) ### More information - [TPM Library Specification](https://trustedcomputinggroup.org/resource/tpm-library-specification/) -[Return to Top](#Technology-and-Terms) +[Return to Top](hello-how-it-works-technology.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index d47f46ccc8..d855efc036 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -100,7 +100,7 @@ Sign-in to a domain controller or management workstation with access equivalent 4. Type **NDES Servers** in **Enter the object names to select**. Click **OK**. Click **OK** on the **Active Directory Domain Services** success dialog. > [!NOTE] -> For high-availabilty, you should have more than one NDES server to service Windows Hello for Business certificate requests. You should add additional Windows Hello for Business NDES servers to this group to ensure they receive the proper configuration. +> For high-availability, you should have more than one NDES server to service Windows Hello for Business certificate requests. You should add additional Windows Hello for Business NDES servers to this group to ensure they receive the proper configuration. ### Create the NDES Service Account The Network Device Enrollment Services (NDES) role runs under a service account. Typically, it is preferential to run services using a Group Managed Service Account (GMSA). While the NDES role can be configured to run using a GMSA, the Intune Certificate Connector was not designed nor tested using a GMSA and is considered an unsupported configuration. The deployment uses a normal services account. @@ -686,4 +686,4 @@ You have successfully completed the configuration. Add users that need to enrol > * Install and Configure the NDES Role > * Configure Network Device Enrollment Services to work with Microsoft Intune > * Download, Install, and Configure the Intune Certificate Connector -> * Create and Assign a Simple Certificate Enrollment Protocol (SCEP Certificate Profile) \ No newline at end of file +> * Create and Assign a Simple Certificate Enrollment Protocol (SCEP Certificate Profile) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md index 7a72138a84..06a470b1ce 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md @@ -60,10 +60,10 @@ The remainder of the provisioning includes Windows Hello for Business requesting
    ## Follow the Windows Hello for Business hybrid key trust deployment guide -1. [Overview](hello-hybrid-cert-trust.md) -2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) -3. [New Installation Baseline](hello-hybrid-cert-new-install.md) +1. [Overview](hello-hybrid-key-trust.md) +2. [Prerequisites](hello-hybrid-key-trust-prereqs.md) +3. [New Installation Baseline](hello-hybrid-key-new-install.md) 4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) -5. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) -6. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md) +5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md) +6. [Configure Windows Hello for Business settings](hello-hybrid-key-whfb-settings.md) 7. Sign-in and Provision(*You are here*) diff --git a/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md b/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md new file mode 100644 index 0000000000..fb9afb773b --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md @@ -0,0 +1,31 @@ +--- +title: Microsoft-compatible security key +description: Windows10 enables users to sign in to their device using a security key. How is a Microsoft-compatible security key different (and better) than any other FIDO2 security key +keywords: FIDO2, security key, CTAP, Hello, WHFB +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +author: aabhathipsay +ms.author: aathipsa +ms.localizationpriority: medium +ms.date: 11/14/2018 +--- +# What is a Microsoft-compatible security key? +> [!Warning] +> Some information relates to pre-released product that may change before it is commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +Microsoft has been aligned with the [FIDO Alliance](https://fidoalliance.org/) with a mission to replace passwords with an easy to use, strong 2FA credential. We have been working with our partners to extensively test and deliver a seamless and secure authentication experience to end users. + +The [FIDO2 CTAP specification](https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-client-to-authenticator-protocol-v2.0-id-20180227.html) contains a few optional features and extensions which are crucial to provide that seamless and secure experience. + +A security key **MUST** implement the following features and extensions from the FIDO2 CTAP protocol to be Microsoft-compatible: + +| #
    | Feature / Extension trust
    | Why is this required?
    | +| --- | --- | --- | +| 1 | Resident key | This feature enables the security key to be portable, where your credential is stored on the security key | +| 2 | Client pin | This feature enables you to protect your credentials with a second factor and applies to security keys that do not have an user interface| +| 3 | hmac-secret | This extension ensures you can sign-in to your device when it's off-line or in airplane mode | +| 4 | Multiple accounts per RP | This feature ensures you can use the same security key across multiple services like Microsoft Account (MSA) and Azure Active Directory (AAD) | + diff --git a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md index 15f9ab184e..851edc7279 100644 --- a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md +++ b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md @@ -7,7 +7,7 @@ ms.mktglfcycl: operate ms.sitesec: library ms.pagetype: security author: brianlic-msft -ms.date: 09/19/2018 +ms.date: 11/16/2018 --- # How User Account Control works @@ -182,7 +182,7 @@ To better understand each component, review the table below:

    Not recommended. Choose this only if it takes a long time to dim the desktop on your computer.


    • -

  • Never notify (Disable UAC) will:

    +

  • Never notify (Disable UAC prompts) will:

    • Not notify you when programs try to install software or make changes to your computer.
    • Not notify you when you make changes to Windows settings.
      • diff --git a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md index 29580800e7..d536281716 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md +++ b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: Justinha -ms.date: 10/27/2017 +ms.date: 11/06/2018 --- # Overview of BitLocker Device Encryption in Windows 10 @@ -14,7 +14,7 @@ ms.date: 10/27/2017 **Applies to** - Windows 10 -This topic explains how BitLocker Device Encryption can help protect data on devices running Windows 10. +This topic explains how BitLocker Device Encryption can help protect data on devices running Windows 10. For an architectural overview about how BitLocker Device Encryption works with Secure Boot, see [Secure boot and BitLocker Device Encryption overview](https://docs.microsoft.com/windows-hardware/drivers/bringup/secure-boot-and-device-encryption-overview). For a general overview and list of topics about BitLocker, see [BitLocker](bitlocker-overview.md). @@ -84,13 +84,13 @@ Exercise caution when encrypting only used space on an existing volume on which SEDs have been available for years, but Microsoft couldn’t support their use with some earlier versions of Windows because the drives lacked important key management features. Microsoft worked with storage vendors to improve the hardware capabilities, and now BitLocker supports the next generation of SEDs, which are called encrypted hard drives. Encrypted hard drives provide onboard cryptographic capabilities to encrypt data on drives, which improves both drive and system performance by offloading cryptographic calculations from the PC’s processor to the drive itself and rapidly encrypting the drive by using dedicated, purpose-built hardware. If you plan to use whole-drive encryption with Windows 10, Microsoft recommends that you investigate hard drive manufacturers and models to determine whether any of their encrypted hard drives meet your security and budget requirements. -For more information about encrypted hard drives, see [Encrypted Hard Drive](/windows/security/hardware-protection/encrypted-hard-drive.md). +For more information about encrypted hard drives, see [Encrypted Hard Drive](../encrypted-hard-drive.md). ## Preboot information protection An effective implementation of information protection, like most security controls, considers usability as well as security. Users typically prefer a simple security experience. In fact, the more transparent a security solution becomes, the more likely users are to conform to it. It is crucial that organizations protect information on their PCs regardless of the state of the computer or the intent of users. This protection should not be cumbersome to users. One undesirable and previously commonplace situation is when the user is prompted for input during preboot, and then again during Windows logon. Challenging users for input more than once should be avoided. -Windows 10 can enable a true SSO experience from the preboot environment on modern devices and in some cases even on older devices when robust information protection configurations are in place. The TPM in isolation is able to securely protect the BitLocker encryption key while it is at rest, and it can securely unlock the operating system drive. When the key is in use and thus in memory, a combination of hardware and Windows capabilities can secure the key and prevent unauthorized access through cold-boot attacks. Although other countermeasures like PIN-based unlock are available, they are not as user-friendly; depending on the devices’ configuration they may not offer additional security when it comes to key protection. For more information, see [BitLocker Countermeasures](bitlocker-countermeasures.md) and [Choose the right BitLocker countermeasure](choose-the-right-bitlocker-countermeasure.md). +Windows 10 can enable a true SSO experience from the preboot environment on modern devices and in some cases even on older devices when robust information protection configurations are in place. The TPM in isolation is able to securely protect the BitLocker encryption key while it is at rest, and it can securely unlock the operating system drive. When the key is in use and thus in memory, a combination of hardware and Windows capabilities can secure the key and prevent unauthorized access through cold-boot attacks. Although other countermeasures like PIN-based unlock are available, they are not as user-friendly; depending on the devices’ configuration they may not offer additional security when it comes to key protection. For more information, see [BitLocker Countermeasures](bitlocker-countermeasures.md). ## Manage passwords and PINs diff --git a/windows/security/information-protection/secure-the-windows-10-boot-process.md b/windows/security/information-protection/secure-the-windows-10-boot-process.md index 585264179f..cb56f52198 100644 --- a/windows/security/information-protection/secure-the-windows-10-boot-process.md +++ b/windows/security/information-protection/secure-the-windows-10-boot-process.md @@ -8,7 +8,7 @@ ms.pagetype: security ms.sitesec: library ms.localizationpriority: medium author: brianlic-msft -ms.date: 10/13/2017 +ms.date: 11/16/2018 --- # Secure the Windows 10 boot process @@ -122,9 +122,5 @@ Measured Boot uses the power of UEFI, TPM, and Windows 10 to give you a way to ## Summary Secure Boot, Trusted Boot, and Measured Boot create an architecture that is fundamentally resistant to bootkits and rootkits. In Windows 10, these features have the potential to eliminate kernel-level malware from your network. This is the most ground-breaking anti-malware solution that Windows has ever had; it’s leaps and bounds ahead of everything else. With Windows 10, you can truly trust the integrity of your operating system. -For more information: - -- Watch a [video demonstration of Secure Boot](https://technet.microsoft.com/windows/jj737995.aspx) - ## Additional resources - [Windows 10 Enterprise Evaluation](https://technet.microsoft.com/evalcenter/hh699156.aspx?ocid=wc-tn-wctc) diff --git a/windows/security/information-protection/tpm/manage-tpm-lockout.md b/windows/security/information-protection/tpm/manage-tpm-lockout.md index db918c0ba6..6f31a72d96 100644 --- a/windows/security/information-protection/tpm/manage-tpm-lockout.md +++ b/windows/security/information-protection/tpm/manage-tpm-lockout.md @@ -31,7 +31,7 @@ The industry standards from the Trusted Computing Group (TCG) specify that TPM m **TPM 2.0** -TPM 2.0 devices have standardized lockout behavior which is configured by Windows. TPM 2.0 devices have a maximum count threshold and a healing time. Windows configures the maximum count to be 32 and the healing time to be 2 hours. This means that every continuous two hours of powered on operation without an event which increases the counter will cause the counter to decrease by 1. +TPM 2.0 devices have standardized lockout behavior which is configured by Windows. TPM 2.0 devices have a maximum count threshold and a healing time. Windows 10 configures the maximum count to be 32 and the healing time to be 10 minutes. This means that every continuous ten minutes of powered on operation without an event which increases the counter will cause the counter to decrease by 1. If your TPM has entered lockout mode or is responding slowly to commands, you can reset the lockout value by using the following procedures. Resetting the TPM lockout requires the TPM owner’s authorization. This value is no longer retained by default starting with Windows 10 version 1607. diff --git a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md index 8ce020a25f..33ec5598fe 100644 --- a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md +++ b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md @@ -8,7 +8,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.author: justinha -ms.date: 06/18/2018 +ms.date: 11/08/2018 ms.localizationpriority: medium --- @@ -24,6 +24,10 @@ With the increase of employee-owned devices in the enterprise, there’s also an Windows Information Protection (WIP), previously known as enterprise data protection (EDP), helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps. Finally, another data protection technology, Azure Rights Management also works alongside WIP to extend data protection for data that leaves the device, such as when email attachments are sent from an enterprise aware version of a rights management mail client. +## Video: Protect enterprise data from being accidentally copied to the wrong place + +> [!Video https://www.microsoft.com/en-us/videoplayer/embed/RE2IGhh] + ## Prerequisites You’ll need this software to run WIP in your enterprise: diff --git a/windows/security/information-protection/windows-information-protection/wip-learning.md b/windows/security/information-protection/windows-information-protection/wip-learning.md index 0f59fcfe7b..8bb9b2c5d5 100644 --- a/windows/security/information-protection/windows-information-protection/wip-learning.md +++ b/windows/security/information-protection/windows-information-protection/wip-learning.md @@ -97,4 +97,4 @@ Here, you can copy the **WipAppid** and use it to adjust your WIP protection pol When working with WIP-enabled apps and WIP-unknown apps, it is recommended that you start with **Silent** or **Allow overrides** while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, **Block**. For more information about WIP modes, see: [Protect enterprise data using WIP: WIP-modes](protect-enterprise-data-using-wip.md#bkmk-modes) >[!NOTE] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index bf4338475e..7727f109bc 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -23,6 +23,7 @@ ###### [Investigate incidents](windows-defender-atp/investigate-incidents-windows-defender-advanced-threat-protection.md) + ##### Alerts queue ###### [View and organize the Alerts queue](windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md) ###### [Manage alerts](windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md) @@ -80,77 +81,11 @@ ##### [Custom detections](windows-defender-atp/overview-custom-detections.md) ###### [Create custom detections rules](windows-defender-atp/custom-detection-rules.md) + #### [Management and APIs](windows-defender-atp/management-apis.md) ##### [Understand threat intelligence concepts](windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md) -##### [Supported Windows Defender ATP APIs](windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md) -######Actor -####### [Get actor information](windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md) -####### [Get actor related alerts](windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md) -######Alerts -####### [Get alerts](windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md) -####### [Get alert information by ID](windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md) -####### [Get alert related actor information](windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md) -####### [Get alert related domain information](windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md) -####### [Get alert related file information](windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md) -####### [Get alert related IP information](windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md) -####### [Get alert related machine information](windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md) -######Domain -####### [Get domain related alerts](windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md) -####### [Get domain related machines](windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md) -####### [Get domain statistics](windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md) -####### [Is domain seen in organization](windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md) - -######File -####### [Block file API](windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md) -####### [Get file information](windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md) -####### [Get file related alerts](windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md) -####### [Get file related machines](windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md) -####### [Get file statistics](windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md) -####### [Get FileActions collection API](windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md) -####### [Unblock file API](windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md) - -######IP -####### [Get IP related alerts](windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md) -####### [Get IP related machines](windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md) -####### [Get IP statistics](windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md) -####### [Is IP seen in organization](windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md) -######Machines -####### [Collect investigation package API](windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md) -####### [Find machine information by IP](windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md) -####### [Get machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md) -####### [Get FileMachineAction object API](windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md) -####### [Get FileMachineActions collection API](windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md) -####### [Get machine by ID](windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md) -####### [Get machine log on users](windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md) -####### [Get machine related alerts](windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md) -####### [Get MachineAction object API](windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md) -####### [Get MachineActions collection API](windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md) -####### [Get machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md) -####### [Get package SAS URI API](windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md) -####### [Isolate machine API](windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md) -####### [Release machine from isolation API](windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md) -####### [Remove app restriction API](windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md) -####### [Request sample API](windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md) -####### [Restrict app execution API](windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md) -####### [Run antivirus scan API](windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md) -####### [Stop and quarantine file API](windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md) -######Machines Security States -####### [Get MachineSecurityStates collection](windows-defender-atp/get-machinesecuritystates-collection-windows-defender-advanced-threat-protection.md) -######Machine Groups -####### [Get MachineGroups collection](windows-defender-atp/get-machinegroups-collection-windows-defender-advanced-threat-protection.md) - -######User -####### [Get alert related user information](windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md) -####### [Get user information](windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md) -####### [Get user related alerts](windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md) -####### [Get user related machines](windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md) - -######Windows updates (KB) info -####### [Get KbInfo collection](windows-defender-atp/get-kbinfo-collection-windows-defender-advanced-threat-protection.md) -######Common Vulnerabilities and Exposures (CVE) to KB map -####### [Get CVE-KB map](windows-defender-atp/get-cvekbmap-collection-windows-defender-advanced-threat-protection.md) - +##### [Windows Defender ATP APIs](windows-defender-atp/apis-intro.md) ##### [Managed security service provider support](windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md) #### [Microsoft threat protection](windows-defender-atp/threat-protection-integration.md) @@ -187,12 +122,14 @@ ### [Configure and manage capabilities](windows-defender-atp/onboard.md) #### [Configure attack surface reduction](windows-defender-atp/configure-attack-surface-reduction.md) ##### [Hardware-based isolation](windows-defender-application-guard/install-wd-app-guard.md) -###### [Confguration settings](windows-defender-application-guard/configure-wd-app-guard.md) +###### [Configuration settings](windows-defender-application-guard/configure-wd-app-guard.md) ##### [Application control](windows-defender-application-control/windows-defender-application-control.md) -##### [Device control](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md) -###### [Memory integrity](windows-defender-exploit-guard/memory-integrity.md) -####### [Hardware qualifications](windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md) -####### [Enable HVCI](windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md) +##### Device control +###### [Control USB devices](device-control/control-usb-devices-using-intune.md) +###### [Device Guard](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md) +####### [Memory integrity](windows-defender-exploit-guard/memory-integrity.md) +######## [Hardware qualifications](windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md) +######## [Enable HVCI](windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md) ##### [Exploit protection](windows-defender-exploit-guard/enable-exploit-protection.md) ###### [Customize exploit protection](windows-defender-exploit-guard/customize-exploit-protection.md) ###### [Import/export configurations](windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md) @@ -291,6 +228,152 @@ ###### [Troubleshoot onboarding issues](windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) ####### [Troubleshoot subscription and portal access issues](windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md) +##### [Use the Windows Defender ATP exposed APIs](windows-defender-atp/use-apis.md) +###### Create your app +####### [Get access on behalf of a user](windows-defender-atp/exposed-apis-create-app-nativeapp.md) +####### [Get access without a user](windows-defender-atp/exposed-apis-create-app-webapp.md) +###### [Supported Windows Defender ATP APIs](windows-defender-atp/exposed-apis-list.md) +####### [Advanced Hunting](windows-defender-atp/run-advanced-query-api.md) + +####### [Alert](windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md) +######## [List alerts](windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md) +######## [Create alert](windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md) +######## [Update Alert](windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md) +######## [Get alert information by ID](windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md) +######## [Get alert related domains information](windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md) +######## [Get alert related file information](windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md) +######## [Get alert related IPs information](windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md) +######## [Get alert related machine information](windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md) +######## [Get alert related user information](windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md) + +####### Domain +######## [Get domain related alerts](windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md) +######## [Get domain related machines](windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md) +######## [Get domain statistics](windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md) +######## [Is domain seen in organization](windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md) + +####### [File](windows-defender-atp/files-windows-defender-advanced-threat-protection-new.md) +######## [Get file information](windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md) +######## [Get file related alerts](windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md) +######## [Get file related machines](windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md) +######## [Get file statistics](windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md) + +####### IP +######## [Get IP related alerts](windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md) +######## [Get IP related machines](windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md) +######## [Get IP statistics](windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md) +######## [Is IP seen in organization](windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md) + +####### [Machine](windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md) +######## [Get machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md) +######## [Get machine by ID](windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md) +######## [Get machine log on users](windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md) +######## [Get machine related alerts](windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md) +######## [Add or Remove machine tags](windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md) +######## [Find machines by IP](windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md) + + +####### [Machine Action](windows-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md) +######## [List MachineActions](windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md) +######## [Get MachineAction](windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md) +######## [Collect investigation package](windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md) +######## [Get investigation package SAS URI](windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md) +######## [Isolate machine](windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md) +######## [Release machine from isolation](windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md) +######## [Restrict app execution](windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md) +######## [Remove app restriction](windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md) +######## [Run antivirus scan](windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md) +######## [Offboard machine](windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md) + +####### [User](windows-defender-atp/user-windows-defender-advanced-threat-protection-new.md) +######## [Get user related alerts](windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md) +######## [Get user related machines](windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md) + + +###### How to use APIs - Samples +####### Advanced Hunting API +######## [Schedule advanced Hunting using Microsoft Flow](windows-defender-atp/run-advanced-query-sample-ms-flow.md) +######## [Advanced Hunting using PowerShell](windows-defender-atp/run-advanced-query-sample-powershell.md) +######## [Advanced Hunting using Python](windows-defender-atp/run-advanced-query-sample-python.md) +######## [Create custom Power BI reports](windows-defender-atp/run-advanced-query-sample-power-bi-app-token.md) +####### Multiple APIs +######## [PowerShell](windows-defender-atp/exposed-apis-full-sample-powershell.md) +####### [Using OData Queries](windows-defender-atp/exposed-apis-odata-samples.md) + +##### [Use the Windows Defender ATP exposed APIs (deprecated)](windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md) +###### [Supported Windows Defender ATP APIs (deprecated)](windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md) +#######Actor (deprecated) +######## [Get actor information (deprecated)](windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md) +######## [Get actor related alerts (deprecated)](windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md) +#######Alerts (deprecated) +######## [Get alerts (deprecated)](windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md) +######## [Get alert information by ID (deprecated)](windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md) +######## [Get alert related actor information (deprecated)](windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md) +######## [Get alert related domain information (deprecated)](windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md) +######## [Get alert related file information (deprecated)](windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md) +######## [Get alert related IP information (deprecated)](windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md) +######## [Get alert related machine information (deprecated)](windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md) +#######Domain (deprecated) +######## [Get domain related alerts (deprecated)](windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md) +######## [Get domain related machines (deprecated)](windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md) +######## [Get domain statistics (deprecated)](windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md) +######## [Is domain seen in organization (deprecated)](windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md) + +#######File(deprecated) +######## [Block file (deprecated)](windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md) +######## [Get file information (deprecated)](windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md) +######## [Get file related alerts (deprecated)](windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md) +######## [Get file related machines (deprecated)](windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md) +######## [Get file statistics (deprecated)](windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md) +######## [Get FileActions collection (deprecated)](windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md) +######## [Unblock file (deprecated)](windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md) + +#######IP (deprecated) +######## [Get IP related alerts (deprecated)](windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md) +######## [Get IP related machines (deprecated)](windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md) +######## [Get IP statistics (deprecated)](windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md) +######## [Is IP seen in organization (deprecated)](windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md) +#######Machines (deprecated) +######## [Collect investigation package (deprecated)](windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md) +######## [Find machine information by IP (deprecated)](windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md) +######## [Get machines (deprecated)](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md) +######## [Get FileMachineAction object (deprecated)](windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md) +######## [Get FileMachineActions collection (deprecated)](windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md) +######## [Get machine by ID (deprecated)](windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md) +######## [Get machine log on users (deprecated)](windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md) +######## [Get machine related alerts (deprecated)](windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md) +######## [Get MachineAction object (deprecated)](windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md) +######## [Get MachineActions collection (deprecated)](windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md) +######## [Get machines (deprecated)](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md) +######## [Get package SAS URI (deprecated)](windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md) +######## [Isolate machine (deprecated)](windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md) +######## [Release machine from isolation (deprecated)](windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md) +######## [Remove app restriction (deprecated)](windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md) +######## [Request sample (deprecated)](windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md) +######## [Restrict app execution (deprecated)](windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md) +######## [Run antivirus scan (deprecated)](windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md) +######## [Stop and quarantine file (deprecated)](windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md) + +#######User (deprecated) +######## [Get alert related user information (deprecated)](windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md) +######## [Get user information (deprecated)](windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md) +######## [Get user related alerts (deprecated)](windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md) +######## [Get user related machines (deprecated)](windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md) + + +#####Windows updates (KB) info +###### [Get KbInfo collection](windows-defender-atp/get-kbinfo-collection-windows-defender-advanced-threat-protection.md) +#####Common Vulnerabilities and Exposures (CVE) to KB map +###### [Get CVE-KB map](windows-defender-atp/get-cvekbmap-collection-windows-defender-advanced-threat-protection.md) + + + + + + + + + ##### API for custom alerts ###### [Enable the custom threat intelligence application](windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md) ###### [Use the Windows Defender ATP exposed APIs](windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/change-history-for-threat-protection.md b/windows/security/threat-protection/change-history-for-threat-protection.md index dfa28ec177..c318406475 100644 --- a/windows/security/threat-protection/change-history-for-threat-protection.md +++ b/windows/security/threat-protection/change-history-for-threat-protection.md @@ -1,5 +1,5 @@ --- -title: Change history for Windows Defender Advanced Threat Protection (Windows Defender ATP) +title: Change history for [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) description: This topic lists new and updated topics in the WWindows Defender ATP content set. ms.prod: w10 ms.mktglfcycl: deploy diff --git a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md new file mode 100644 index 0000000000..6629438e93 --- /dev/null +++ b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md @@ -0,0 +1,86 @@ +--- +title: How to control USB devices and other removable media using Intune (Windows 10) +description: You can configure Intune settings to reduce threats from removable storage such as USB devices. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +ms.author: justinha +author: justinha +ms.date: 11/15/2018 +--- + +# How to control USB devices and other removable media using Intune + +**Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) + + +You can configure Intune settings to reduce threats from removable storage such as USB devices, including: + +- [Block unwanted removeable storage](#block-unwanted-removable-storage) +- [Protect allowed removable storage](#protect-allowed-removable-storage) + +Protecting allowed removeable storage requires [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus). +We recommend enabling real-time protection for improved scanning performance, especially for large storage devices. +If real-time protection is enabled, files are scanned before they are accessed and executed. The scanning scope includes all files, including those on mounted removable devices such as USB drives. +You can optionally [run a PowerShell script to perform a custom scan](https://aka.ms/scanusb) of a USB drive after it is mounted. + +> [!NOTE] +> These threat reduction measures help prevent malware from coming into your environment. To protect enterprise data from leaving your environment, you can also configure data loss prevention measures. For data loss prevention on Windows 10 devices, you can configure [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) and [Windows Information Protection](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure), which will encrypt company data even if it is stored on a personal device. + +## Block unwanted removeable storage + +1. Sign in to the [Microsoft Azure portal](https://portal.azure.com/). +2. Click **Intune** > **Device configuration** > **Profiles** > **Create profile**. + + ![Create device configuration profile](images/create-device-configuration-profile.png) + +3. Use the following settings: + + - Name: Windows 10 Device Configuration + - Description: Block removeable storage and USB connections + - Platform: Windows 10 and later + - Profile type: Device restrictions + + ![Create profile](images/create-profile.png) + +4. Click **Configure** > **General**. + +5. For **Removable storage** and **USB connection (mobile only)**, choose **Block**. + + ![General settings](images/general-settings.png) + +6. Click **OK** to close **General** settings and **Device restrictions**. + +7. Click **Create** to save the profile. + +Alternatively, you can create a custom profile in Intune and configure [DeviceInstallation](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation) policies. + +## Protect allowed removable storage + +These settings require [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus). + +1. Sign in to the [Microsoft Azure portal](https://portal.azure.com/). +2. Click **Intune** > **Device configuration** > **Profiles** > **Create profile**. + + ![Create device configuration profile](images/create-device-configuration-profile.png) + +3. Use the following settings: + + - Name: Type a name for the profile + - Description: Type a description + - Platform: Windows 10 or later + - Profile type: Endpoint protection + + ![Create enpoint protection profile](images/create-endpoint-protection-profile.png) + +4. Click **Configure** > **Windows Defender Exploit Guard** > **Attack Surface Reduction**. + +5. For **Unsigned and untrusted processes that run from USB**, choose **Block**. + + ![Block untrusted processes](images/block-untrusted-processes.png) + +6. Click **OK** to close **Attack Surface Reduction**, **Windows Defender Exploit Guard**, and **Endpoint protection**. + +7. Click **Create** to save the profile. \ No newline at end of file diff --git a/windows/security/threat-protection/device-control/images/block-untrusted-processes.png b/windows/security/threat-protection/device-control/images/block-untrusted-processes.png new file mode 100644 index 0000000000..3080e0d1f0 Binary files /dev/null and b/windows/security/threat-protection/device-control/images/block-untrusted-processes.png differ diff --git a/windows/security/threat-protection/device-control/images/configure-device-configuration-profile.png b/windows/security/threat-protection/device-control/images/configure-device-configuration-profile.png new file mode 100644 index 0000000000..9d295dfa6b Binary files /dev/null and b/windows/security/threat-protection/device-control/images/configure-device-configuration-profile.png differ diff --git a/windows/security/threat-protection/device-control/images/create-device-configuration-profile.png b/windows/security/threat-protection/device-control/images/create-device-configuration-profile.png new file mode 100644 index 0000000000..1e0f0587a3 Binary files /dev/null and b/windows/security/threat-protection/device-control/images/create-device-configuration-profile.png differ diff --git a/windows/security/threat-protection/device-control/images/create-endpoint-protection-profile.png b/windows/security/threat-protection/device-control/images/create-endpoint-protection-profile.png new file mode 100644 index 0000000000..eaba30b27f Binary files /dev/null and b/windows/security/threat-protection/device-control/images/create-endpoint-protection-profile.png differ diff --git a/windows/security/threat-protection/device-control/images/create-profile.png b/windows/security/threat-protection/device-control/images/create-profile.png new file mode 100644 index 0000000000..ada168228e Binary files /dev/null and b/windows/security/threat-protection/device-control/images/create-profile.png differ diff --git a/windows/security/threat-protection/device-control/images/general-settings.png b/windows/security/threat-protection/device-control/images/general-settings.png new file mode 100644 index 0000000000..152822dc29 Binary files /dev/null and b/windows/security/threat-protection/device-control/images/general-settings.png differ diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md index 090b0c62f7..028116204e 100644 --- a/windows/security/threat-protection/index.md +++ b/windows/security/threat-protection/index.md @@ -13,7 +13,7 @@ ms.date: 10/04/2018 --- # Threat Protection -Windows Defender Advanced Threat Protection (Windows Defender ATP) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Windows Defender ATP protects endpoints from cyber threats; detects advanced attacks and data breaches, automates security incidents and improves security posture. +[Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Windows Defender ATP protects endpoints from cyber threats; detects advanced attacks and data breaches, automates security incidents and improves security posture.

      Windows Defender ATP

      @@ -63,8 +63,8 @@ To further reinforce the security perimeter of your network, Windows Defender AT -**[Endpoint protection and response](windows-defender-atp/overview-endpoint-detection-response.md)**
      -Endpoint protection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars. +**[Endpoint detection and response](windows-defender-atp/overview-endpoint-detection-response.md)**
      +Endpoint detection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars. - [Alerts](windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md) - [Historical endpoint data](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#machine-timeline) diff --git a/windows/security/threat-protection/intelligence/images/PrevalentMalware-67-percent.png b/windows/security/threat-protection/intelligence/images/PrevalentMalware-67-percent.png deleted file mode 100644 index 8e2221a40b..0000000000 Binary files a/windows/security/threat-protection/intelligence/images/PrevalentMalware-67-percent.png and /dev/null differ diff --git a/windows/security/threat-protection/intelligence/images/PrevalentMalware.png b/windows/security/threat-protection/intelligence/images/PrevalentMalware.png new file mode 100644 index 0000000000..8d93b4ed9d Binary files /dev/null and b/windows/security/threat-protection/intelligence/images/PrevalentMalware.png differ diff --git a/windows/security/threat-protection/intelligence/images/PrevalentMalware0818.png b/windows/security/threat-protection/intelligence/images/PrevalentMalware0818.png deleted file mode 100644 index 8e3fb0cfde..0000000000 Binary files a/windows/security/threat-protection/intelligence/images/PrevalentMalware0818.png and /dev/null differ diff --git a/windows/security/threat-protection/intelligence/images/RealWorld-67-percent.png b/windows/security/threat-protection/intelligence/images/RealWorld-67-percent.png deleted file mode 100644 index 9e011c0e6a..0000000000 Binary files a/windows/security/threat-protection/intelligence/images/RealWorld-67-percent.png and /dev/null differ diff --git a/windows/security/threat-protection/intelligence/images/RealWorld.png b/windows/security/threat-protection/intelligence/images/RealWorld.png new file mode 100644 index 0000000000..82b7983c38 Binary files /dev/null and b/windows/security/threat-protection/intelligence/images/RealWorld.png differ diff --git a/windows/security/threat-protection/intelligence/images/RealWorld0818.png b/windows/security/threat-protection/intelligence/images/RealWorld0818.png deleted file mode 100644 index f1768f8187..0000000000 Binary files a/windows/security/threat-protection/intelligence/images/RealWorld0818.png and /dev/null differ diff --git a/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md b/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md index 5f2f3fbb28..34297ac109 100644 --- a/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md +++ b/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md @@ -1,14 +1,14 @@ --- title: Top scoring in industry antivirus tests description: Windows Defender Antivirus consistently achieves high scores in independent tests. View the latest scores and analysis. -keywords: security, malware, av-comparatives, av-test, av, antivirus +keywords: security, malware, av-comparatives, av-test, av, antivirus, windows, defender, scores ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium ms.author: ellevin author: levinec -ms.date: 09/05/2018 +ms.date: 11/07/2018 --- # Top scoring in industry antivirus tests @@ -18,20 +18,22 @@ ms.date: 09/05/2018 We want to be transparent and have gathered top industry reports that demonstrate our enterprise antivirus capabilities. Note that these tests only provide results for antivirus and do not test for additional security protections. In the real world, millions of devices are protected from cyberattacks every day, sometimes [milliseconds after a campaign starts](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign?ocid=cx-docs-avreports). Windows Defender Antivirus is part of the [next generation](https://www.youtube.com/watch?v=Xy3MOxkX_o4) Windows Defender Advanced Threat Protection ([Windows Defender ATP](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=cx-docs-avreports)) security stack which addresses the latest and most sophisticated threats today. In many cases, customers might not even know they were protected. That's because Windows Defender Antivirus detects and stops malware at first sight by using [machine learning](https://cloudblogs.microsoft.com/microsoftsecure/2018/06/07/machine-learning-vs-social-engineering?ocid=cx-docs-avreports), [artificial intelligence](https://cloudblogs.microsoft.com/microsoftsecure/2018/02/14/how-artificial-intelligence-stopped-an-emotet-outbreak?ocid=cx-docs-avreports), behavioral analysis, and other advanced technologies. - -> [!TIP] -> Learn why [Windows Defender Antivirus is the most deployed in the enterprise](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/22/why-windows-defender-antivirus-is-the-most-deployed-in-the-enterprise?ocid=cx-docs-avreports). -



      ![AV-TEST logo](./images/av-test-logo.png) ## AV-TEST: Perfect protection score of 6.0/6.0 in the latest test The AV-TEST Product Review and Certification Report tests on three categories: protection, performance, and usability. The scores listed below are for the Protection category which has two scores: Real-World Testing and the AV-TEST reference set (known as "Prevalent Malware"). +> [!NOTE] +> [Download our latest analysis: Examining the AV-TEST July-August results](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2IL3Y) -### May-June 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/june-2018/microsoft-windows-defender-antivirus-4.12-182374/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2v60I?ocid=cx-docs-avreports) **Latest** +### July-August 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/august-2018/microsoft-windows-defender-antivirus-4.12--4.18-183212/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2IL3Y) - Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, detecting 100% of 5,790 malware samples. With the latest results, Windows Defender Antivirus has achieved 100% on 10 of the 12 most recent antivirus tests (combined "Real-World" and "Prevalent malware"). + Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, detecting 100% of 20,022 malware samples. With the latest results, Windows Defender Antivirus has achieved 100% on 14 of the 16 most recent antivirus tests (combined "Real-World" and "Prevalent malware"). + +### May-June 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/june-2018/microsoft-windows-defender-antivirus-4.12-182374/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2v60I?ocid=cx-docs-avreports) + + Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, detecting 100% of 5,790 malware samples. ### March-April 2018 AV-TEST Business User test: [Protection score 5.5/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/april-2018/microsoft-windows-defender-antivirus-4.12-181574/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2ouJA?ocid=cx-docs-avreports) @@ -43,26 +45,31 @@ Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, with ||| |---|---| -|![Graph describing Real-World detection rate](./images/RealWorld-67-percent.png)|![Graph describing Prevalent Malware](./images/PrevalentMalware-67-percent.png)| +|![Graph describing Real-World detection rate](./images/RealWorld.png)|![Graph describing Prevalent Malware](./images/PrevalentMalware.png)|

      ![AV-Comparatives Logo](./images/av-comparatives-logo-3.png) -## AV-Comparatives: Perfect protection rating of 100% in the latest test +## AV-Comparatives: Protection rating of 99.8% in the latest test AV-Comparatives is an independent organization offering systematic testing for security software such as PC/Mac-based antivirus products and mobile security solutions. -### Real-World Protection Test July (Consumer): [Protection Rate 100%](https://www.av-comparatives.org/tests/real-world-protection-test-july-2018-factsheet/) **Latest** +### Real-World Protection Test August - September (Enterprise): [Protection Rate 99.8%](https://www.av-comparatives.org/tests/real-world-protection-test-enterprise-august-september-2018-testresult/) **Latest** -The results are based on testing against 186 malicious URLs that have working exploits or point directly to malware. +This test, as defined by AV-Comparatives, attempts to assess the effectiveness of each security program to protect a computer against active malware threats while online. +The test set contained 599 test cases (such as malicious URLs). + +### Malware Protection Test August 2018 (Enterprise): [Protection Rate 99.9%](https://www.av-comparatives.org/tests/malware-protection-test-enterprise-august-2018-testresult/) + +This test, as defined by AV-Comparatives, attempts to assesses a security program’s ability to protect a system against infection by malicious files before, during or after execution. The results are based on testing against 1,556 malware samples. ### Real-World Protection Test March - June (Enterprise): [Protection Rate 98.7%](https://www.av-comparatives.org/tests/real-world-protection-test-enterprise-march-june-2018-testresult/) -This test, as defined by AV-Comparatives, attempts to assess the effectiveness of each security program to protect a computer against active malware threats while online. +The test set contained 1,163 test cases (such as malicious URLs). ### Malware Protection Test March 2018 (Enterprise): [Protection Rate 99.9%](https://www.av-comparatives.org/tests/malware-protection-test-enterprise-march-2018-testresult/) -This test, as defined by AV-Comparatives, attempts to assesses a security program’s ability to protect a system against infection by malicious files before, during or after execution. +For this test, 1,470 recent malware samples were used. [Historical AV-Comparatives Microsoft tests](https://www.av-comparatives.org/vendors/microsoft/)

      diff --git a/windows/security/threat-protection/intelligence/understanding-malware.md b/windows/security/threat-protection/intelligence/understanding-malware.md index 5daf338deb..2f819e06b0 100644 --- a/windows/security/threat-protection/intelligence/understanding-malware.md +++ b/windows/security/threat-protection/intelligence/understanding-malware.md @@ -16,7 +16,7 @@ Malware is a term used to describe malicious applications and code that can caus Cybercriminals that distribute malware are often motivated by money and will use infected computers to launch attacks, obtain banking credentials, collect information that can be sold, sell access to computing resources, or extort payment from victims. -As criminals become more sophisticated with their attacks, Microsoft is here to help. Windows 10 is the most secure version of Windows yet and includes many features to help protect you whether you're at home, at work, or on the go. With Windows Defender Advanced Threat Protection (Windows Defender ATP), businesses can stay protected with next-generation protection and other security capabilities. +As criminals become more sophisticated with their attacks, Microsoft is here to help. Windows 10 is the most secure version of Windows yet and includes many features to help protect you whether you're at home, at work, or on the go. With [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf), businesses can stay protected with next-generation protection and other security capabilities. For good general tips, check out the [prevent malware infection](prevent-malware-infection.md) topic. diff --git a/windows/security/threat-protection/intelligence/worms-malware.md b/windows/security/threat-protection/intelligence/worms-malware.md index b76c90029c..c9e7ce8541 100644 --- a/windows/security/threat-protection/intelligence/worms-malware.md +++ b/windows/security/threat-protection/intelligence/worms-malware.md @@ -25,7 +25,7 @@ Jenxcus (also known as Dunihi), Gamarue (also known as Androm), and Bondat have * **Gamarue** typically arrives through spam campaigns, exploits, downloaders, social networking sites, and removable drives. When Gamarue infects a device, it becomes a distribution channel for other malware. We’ve seen it distribute other malware such as infostealers, spammers, clickers, downloaders, and rogues. -* **Bondat** typically arrives through fictitious Nullsoft Sciptable Install System (NSIS) Java installers and removable drives. When Bondat infects a system, it gathers information about the machine such as device name, Globally Unique Identifier (GUID), and OS build. It then sends that information to a remote server. +* **Bondat** typically arrives through fictitious Nullsoft Scriptable Install System (NSIS), Java installers, and removable drives. When Bondat infects a system, it gathers information about the machine such as device name, Globally Unique Identifier (GUID), and OS build. It then sends that information to a remote server. Both Bondat and Gamarue have clever ways of obscuring themselves to evade detection. By hiding what they are doing, they try to avoid detection by security software. @@ -45,4 +45,4 @@ Download [Microsoft Security Essentials](https://www.microsoft.com/download/deta In case threat removal is unsuccessful, read about [troubleshooting malware detection and removal problems](https://www.microsoft.com/wdsi/help/troubleshooting-infection). -For more general tips, see [prevent malware infection](prevent-malware-infection.md). \ No newline at end of file +For more general tips, see [prevent malware infection](prevent-malware-infection.md). diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md b/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md index c481a744c3..1478eafa69 100644 --- a/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md +++ b/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md @@ -18,7 +18,7 @@ ms.date: 10/11/2018 Describes the Account Lockout Policy settings and links to information about each policy setting. -Someone who attempts to use more than a few unsuccessful passwords while trying to log on to your system might be a malicious user who is attempting to determine an account password by trial and error. Windows domain controllers keep track of logon attempts, and domain controllers can be configured to respond to this type of potential attack by disabling the account for a preset period of time. Account Lockout Policy settings control the threshold for this response and the actions to be taken after the threshold is reached. The Account Lockout Policy settings can be configured in the following location in the Group Policy Management Console: **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Account Lockout Policy**. +Someone who attempts to use more than a few unsuccessful passwords while trying to log on to your system might be a malicious user who is attempting to determine an account password by trial and error. Windows domain controllers keep track of logon attempts, and domain controllers can be configured to respond to this type of potential attack by disabling the account for a preset period of time. Account Lockout Policy settings control the threshold for this response and the actions to be taken after the threshold is reached. The Account Lockout Policy settings can be configured in the following location in the Group Policy Management Console: **Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Account Lockout Policy**. The following topics provide a discussion of each policy setting's implementation and best practices considerations, policy location, default values for the server type or Group Policy Object (GPO), relevant differences in operating system versions, and security considerations (including the possible vulnerabilities of each policy setting), countermeasures that you can implement, and the potential impact of implementing the countermeasures. diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md b/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md index 681ff23ad9..40febeceab 100644 --- a/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md +++ b/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: brianlic-msft -ms.date: 10/26/2018 +ms.date: 11/02/2018 --- # Account lockout threshold @@ -37,8 +37,11 @@ Because vulnerabilities can exist when this value is configured and when it is n ### Best practices -The threshold that you select is a balance between operational efficiency and security, and it depends on your organization's risk level. To allow for user error and to thwart brute force attacks, a value of 10 could be an acceptable starting point for your organization. -> **Important:**  Implementation of this policy setting is dependent on your operational environment; threat vectors, deployed operating systems, and deployed apps. For more information, see [Implementation considerations](#bkmk-impleconsiderations) in this topic. +The threshold that you select is a balance between operational efficiency and security, and it depends on your organization's risk level. To allow for user error and to thwart brute force attacks, [Windows security baselines](https://docs.microsoft.com/windows/security/threat-protection/windows-security-baselines) recommend a value of 10 could be an acceptable starting point for your organization. + +As with other account lockeout settings, this value is more of a guideline than a rule or best practice because there is no "one size fits all." For more information, see [Configuring Account Lockout](https://blogs.technet.microsoft.com/secguide/2014/08/13/configuring-account-lockout/). + +Implementation of this policy setting is dependent on your operational environment; threat vectors, deployed operating systems, and deployed apps. For more information, see [Implementation considerations](#bkmk-impleconsiderations) in this topic.   ### Location diff --git a/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md b/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md index 5b63d093b8..d5b8c58676 100644 --- a/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md +++ b/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md @@ -60,7 +60,7 @@ The following table lists the actual and effective default values for this polic | Server type or GPO | Default value | | - | - | | Default Domain Policy | Not defined -| Default Domain Controler Policy | Not defined +| Default Domain Controller Policy | Not defined | Stand-Alone Server Default Settings | Disabled | DC Effective Default Settings | Disabled | Member Server Effective Default Settings | Disabled diff --git a/windows/security/threat-protection/security-policy-settings/minimum-password-age.md b/windows/security/threat-protection/security-policy-settings/minimum-password-age.md index 6028668431..0c05506d7b 100644 --- a/windows/security/threat-protection/security-policy-settings/minimum-password-age.md +++ b/windows/security/threat-protection/security-policy-settings/minimum-password-age.md @@ -7,8 +7,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: brianlic-msft -ms.date: 04/19/2017 +author: justinha +ms.date: 11/13/2018 --- # Minimum password age @@ -20,7 +20,7 @@ Describes the best practices, location, values, policy management, and security ## Reference -The **Minimum password age** policy setting determines the period of time (in days) that a password must be used before the user can change it. You can set a value between 1 and 998 days, or you can allow changes immediately by setting the number of days to 0. The minimum password age must be less than the Maximum password age, unless the maximum password age is set to 0, indicating that passwords will never expire. If the maximum password age is set to 0, the minimum password age can be set to any value between 0 and 998. +The **Minimum password age** policy setting determines the period of time (in days) that a password must be used before the user can change it. You can set a value between 1 and 998 days, or you can allow password changes immediately by setting the number of days to 0. The minimum password age must be less than the Maximum password age, unless the maximum password age is set to 0, indicating that passwords will never expire. If the maximum password age is set to 0, the minimum password age can be set to any value between 0 and 998. ### Possible values @@ -29,9 +29,16 @@ The **Minimum password age** policy setting determines the period of time (in da ### Best practices -Set **Minimum password age** to a value of 2 days. Setting the number of days to 0 allows immediate password changes, which is not recommended. +[Windows security baselines](https://docs.microsoft.com/windows/security/threat-protection/windows-security-baselines) recommend setting **Minimum password age** to 1 day. -If you set a password for a user and you want that user to change the administrator-defined password, you must select the **User must change password at next logon** check box. Otherwise, the user will not be able to change the password until the number of days specified by **Minimum password age**. +Setting the number of days to 0 allows immediate password changes, which is not recommended. +Combining immediate password changes with password history allows someone to change a password repeatedly until the password history requirement is met and re-establish the original password again. +For example, suppose a password is "Ra1ny day!" and the history requirement is 24. +If the minimum password age is 0, the password can be changed 24 times in a row until finally changed back to "Ra1ny day!". +The minimum password age of 1 day prevents that. + +If you set a password for a user and you want that user to change the administrator-defined password, you must select the **User must change password at next logon** check box. +Otherwise, the user will not be able to change the password until the number of days specified by **Minimum password age**. ### Location @@ -70,11 +77,11 @@ To address password reuse, you must use a combination of security settings. Usin ### Countermeasure -Configure the **Minimum password age** policy setting to a value of at least 2 days. Users should know about this limitation and contact the Help Desk if they need to change their password during that two-day period. If you configure the number of days to 0, immediate password changes would be allowed, which we do not recommend. +Configure the **Minimum password age** policy setting to a value of 1 day. Users should know about this limitation and contact the Help Desk to change a password sooner. If you configure the number of days to 0, immediate password changes would be allowed, which we do not recommend. ### Potential impact -If you set a password for a user but wants that user to change the password when the user first logs on, the administrator must select the **User must change password at next logon** check box, or the user cannot change the password until the next day. +If you set a password for a user but want that user to change the password when the user first logs on, the administrator must select the **User must change password at next logon** check box, or the user cannot change the password until the next day. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md b/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md index 8af58b7acd..2d007bb365 100644 --- a/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md +++ b/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: brianlic-msft -ms.date: 10/26/2018 +ms.date: 11/02/2018 --- # Reset account lockout counter after @@ -31,7 +31,9 @@ A disadvantage to setting this too high is that users lock themselves out for an ### Best practices -- You need to determine the threat level for your organization and balance that against the cost of your Help Desk support for password resets. Each organization will have specific requirements. +You need to determine the threat level for your organization and balance that against the cost of your Help Desk support for password resets. Each organization will have specific requirements. + +[Windows security baselines](https://docs.microsoft.com/windows/security/threat-protection/windows-security-baselines) recommend configuring the **Reset account lockout counter after** policy setting to 15, but as with other account lockeout settings, this value is more of a guideline than a rule or best practice because there is no "one size fits all." For more information, see [Configuring Account Lockout](https://blogs.technet.microsoft.com/secguide/2014/08/13/configuring-account-lockout/). ### Location diff --git a/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md b/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md index bba7a2624e..ae91d8d14b 100644 --- a/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md +++ b/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: brianlic-msft -ms.date: 08/29/2017 +ms.date: 11/16/2018 --- # System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing @@ -50,7 +50,7 @@ Additionally, if a data drive is password-protected, it can be accessed by a FIP ### Best practices -- For use with TLS, set this policy to **Enabled**. Client devices with this policy setting enabled will be unable to communicate through digitally encrypted or signed protocols with servers that do not support these algorithms. Client devices that are connected to the network and do not support these algorithms cannot use servers that require the algorithms for network communications. If you enable this policy setting, you must also configure Internet Explorer to use TLS. +There are no best practices for this setting. Our previous guidance had recommended a setting of **Enabled**, primarily to align with US Federal government recommendations. [Windows security baselines](https://docs.microsoft.com/windows/security/threat-protection/windows-security-baselines) recommend this setting be **Not Defined**, meaning that we leave the decision to customers. For a deeper explanation, see [Why We’re Not Recommending “FIPS Mode” Anymore](https://blogs.technet.microsoft.com/secguide/2014/04/07/why-were-not-recommending-fips-mode-anymore/). ### Location diff --git a/windows/security/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md b/windows/security/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md index 2e776ea30d..06978674b3 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md +++ b/windows/security/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) This topic describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you may encounter when using the Windows Defender AV Assessment section in the Update Compliance add-in. diff --git a/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md index 5544020384..cad1984faf 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) You can perform various Windows Defender Antivirus functions with the dedicated command-line tool mpcmdrun.exe. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md index c11220d5fc..2af6cfcbc3 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) You can manage and configure Windows Defender Antivirus with the following tools: diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md index a1880dbc92..b916b9c91e 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md @@ -19,7 +19,7 @@ ms.date: 10/25/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) **Use Microsoft Intune to configure scanning options** diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md index 47b577521b..8f34c26265 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Block at first sight is a feature of next gen protection that provides a way to detect and block new malware within seconds. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md index c4712bd823..e78a18862c 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) When Windows Defender Antivirus finds a suspicious file, it can prevent the file from running while it queries the [Windows Defender Antivirus cloud service](utilize-microsoft-cloud-protection-windows-defender-antivirus.md). diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md index a4e4d1798a..f467dac2b6 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) You can configure how users of the endpoints on your network can interact with Windows Defender Antivirus. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md index 05da87967e..ca5c66c4f2 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) You can exclude certain files, folders, processes, and process-opened files from Windows Defender Antivirus scans. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md index 7dc4b3d1f6..8292217735 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) You can exclude certain files from Windows Defender Antivirus scans by modifying exclusion lists. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md index e948b58760..833abbcaff 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) By default, Windows Defender Antivirus settings that are deployed via a Group Policy Object to the endpoints in your network will prevent users from locally changing the settings. You can change this in some instances. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md index e993bcf60f..922fb0f10d 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 10/08/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) To ensure Windows Defender Antivirus cloud-delivered protection works properly, you need to configure your network to allow connections between your endpoints and certain Microsoft servers. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md index d6806de77b..8a98cffbc7 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) In Windows 10, application notifications about malware detection and remediation are more robust, consistent, and concise. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md index 268fccc556..320078778c 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) You can exclude files that have been opened by specific processes from Windows Defender Antivirus scans. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md index 61d9ada7c2..acb2c79bcf 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Windows Defender Antivirus uses several methods to provide threat protection: diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md index d5a83c1e36..e063f1fda5 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md @@ -11,14 +11,14 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 09/03/2018 +ms.date: 11/13/2018 --- -# Enable and configure antivirius always-on protection and monitoring +# Enable and configure antivirus always-on protection and monitoring **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Always-on protection consists of real-time protection, behavior monitoring, and heuristics to identify malware based on known suspicious and malicious activities. @@ -42,7 +42,7 @@ Location | Setting | Description | Default setting (if not configured) ---|---|---|--- Real-time protection | Monitor file and program activity on your computer | The Windows Defender Antivirus engine makes note of any file changes (file writes, such as moves, copies, or modifications) and general program activity (programs that are opened or running and that cause other programs to run) | Enabled Real-time protection | Scan all downloaded files and attachments | Downloaded files and attachments are automatically scanned. This operates in addition to the SmartScreen filter, which scans files before and during downloading | Enabled -Real-time protection | Turn on process scanning whenever real-time protection is enabled | You can independently enable the Windows Defender Antivirus engine to scan running processes for suspicious modifications or behaviors. This is useful if you have disabled real-time protection | Enabled +Real-time protection | Turn on process scanning whenever real-time protection is enabled | You can independently enable the Windows Defender Antivirus engine to scan running processes for suspicious modifications or behaviors. This is useful if you have temporarily disabled real-time protection and want to automatically scan processes that started while it was disabled | Enabled Real-time protection | Turn on behavior monitoring | The AV engine will monitor file processes, file and registry changes, and other events on your endpoints for suspicious and known malicious activity | Enabled Real-time protection | Turn on raw volume write notifications | Information about raw volume writes will be analyzed by behavior monitoring | Enabled Real-time protection | Define the maximum size of downloaded files and attachments to be scanned | You can define the size in kilobytes | Enabled diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md index d14d383af2..35159b5198 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) When Windows Defender Antivirus runs a scan, it will attempt to remediate or remove threats that it finds. You can configure how Windows Defender Antivirus should react to certain threats, whether it should create a restore point before remediating, and when it should remove remediated threats. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md index 497772dfde..d7c05e739f 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Windows Defender Antivirus on Windows Server 2016 computers automatically enrolls you in certain exclusions, as defined by your specified server role. See [the end of this topic](#list-of-automatic-exclusions) for a list of these exclusions. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md b/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md index 03b6bf2fc1..1451728ecf 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) You can configure Windows Defender Antivirus with a number of tools, including: diff --git a/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md index fd8a577fc1..ae4eee36d6 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) You can use Group Policy, PowerShell, and Windows Management Instrumentation (WMI) to configure Windows Defender Antivirus scans. diff --git a/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md index 6d27b50ff2..38147632bc 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) You can deploy, manage, and report on Windows Defender Antivirus in a number of ways. diff --git a/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md index 6efcc0eeef..59b048bfda 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Depending on the management tool you are using, you may need to specifically enable or configure Windows Defender Antivirus protection. diff --git a/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md index d330eff104..781b5ba5d5 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) In addition to standard on-premises or hardware configurations, you can also use Windows Defender Antivirus in a remote desktop (RDS) or virtual desktop infrastructure (VDI) environment. diff --git a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md index b149805427..475e161a65 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 10/02/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) The potentially unwanted application (PUA) protection feature in Windows Defender Antivirus can identify and block PUAs from downloading and installing on endpoints in your network. diff --git a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md index 660a9ce1eb..bc76dcf3d8 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) >[!NOTE] >The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud; rather, it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional signature updates. diff --git a/windows/security/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md index 743d2497f8..e40b93abd1 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Use this guide to determine how well Windows Defender Antivirus protects you from viruses, malware, and potentially unwanted applications. diff --git a/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md index 942585308e..923a59f0ba 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md @@ -20,7 +20,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Limited periodic scanning is a special type of threat detection and remediation that can be enabled when you have installed another antivirus product on a Windows 10 device. diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md index cae61f23dc..6b53608726 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Windows Defender Antivirus allows you to determine if updates should (or should not) occur after certain events, such as at startup or after receiving specific reports from the cloud-delivered protection service. diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md index 6bc628a553..7639c8e05b 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Windows Defender Antivirus lets you define how long an endpoint can avoid an update or how many scans it can miss before it is required to update and scan itself. This is especially useful in environments where devices are not often connected to a corporate or external network, or devices that are not used on a daily basis. diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md index adec043210..bb3a6e46d7 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Windows Defender Antivirus lets you determine when it should look for and download updates. diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md index 4d2fb15044..24e05dd41a 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md index 8fb1e91905..c1d9aad15b 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) There are two types of updates related to keeping Windows Defender Antivirus up to date: 1. Protection updates diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md index ee85e54424..4ea81cd37f 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Mobile devices and VMs may require additional configuration to ensure performance is not impacted by updates. diff --git a/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md index eeb27d5a8f..880d56c9e3 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) You can use Group Policy to prevent users on endpoints from seeing the Windows Defender Antivirus interface. You can also prevent them from pausing scans. diff --git a/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md index ccf84b466b..efa0d8b522 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) There are a number of ways you can review protection status and alerts, depending on the management tool you are using for Windows Defender Antivirus. diff --git a/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md index 485ea3e2a7..569d88a51c 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md @@ -18,12 +18,12 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) If Windows Defender Antivirus is configured to detect and remediate threats on your device, Windows Defender Antivirus quarantines suspicious files. If you are certain these files do not present a threat, you can restore them. 1. Open **Windows Security**. -2. Click **Virus & threat protection** and then click **Scan history**. +2. Click **Virus & threat protection** and then click **Threat History**. 3. Under **Quarantined threats**, click **See full history**. 4. Click **Restore** for any items you want to keep. (If you prefer to remove them, you can click **Remove**.) diff --git a/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md index 5ffb2c076c..c75f970b7b 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) After an Windows Defender Antivirus scan completes, whether it is an [on-demand](run-scan-windows-defender-antivirus.md) or [scheduled scan](scheduled-catch-up-scans-windows-defender-antivirus.md), the results are recorded and you can view the results. diff --git a/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md index 92f95ad535..7f0a6d6037 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) You can run an on-demand scan on individual endpoints. These scans will start immediately, and you can define parameters for the scan, such as the location or type. diff --git a/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md index ae3d1249f9..d62ac289fe 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) > [!NOTE] > By default, Windows Defender Antivirus checks for an update 15 minutes before the time of any scheduled scans. You can [Manage the schedule for when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) to override this default. diff --git a/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md index df9e3937bc..fe11787198 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) You can specify the level of cloud-protection offered by Windows Defender Antivirus with Group Policy and System Center Configuration Manager. diff --git a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md index 28d9cb0243..d1ae21771c 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md +++ b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) When you use [Windows Analytics Update Compliance to obtain reporting into the protection status of machines or endpoints](/windows/deployment/update/update-compliance-using#wdav-assessment) in your network that are using Windows Defender Antivirus, you may encounter problems or issues. diff --git a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md index a40df9b551..d23df5b8f1 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/11/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) If you encounter a problem with Windows Defender Antivirus, you can search the tables in this topic to find a matching issue and potential solution. diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md index e5cfbb322b..6581b10ed3 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) You can use [Group Policy](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx) to configure and manage Windows Defender Antivirus on your endpoints. diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md index d453a5b349..89cf104935 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) If you are using System Center Configuration Manager or Microsoft Intune to manage the endpoints on your network, you can also use them to manage Windows Defender Antivirus scans. diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md index 8501bb8163..25ca31aa0a 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) You can use PowerShell to perform various functions in Windows Defender. Similar to the command prompt or command line, PowerShell is a task-based command-line shell and scripting language designed especially for system administration, and you can read more about it at the [PowerShell hub on MSDN](https://msdn.microsoft.com/powershell/mt173057.aspx). diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md index e0542aea06..0ae7bc9771 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Windows Management Instrumentation (WMI) is a scripting interface that allows you to retrieve, modify, and update settings. diff --git a/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md index 3c436236fe..aebdd79b52 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Microsoft next-gen technologies in Windows Defender Antivirus provide near-instant, automated protection against new and emerging threats. To dynamically identify new threats, these technologies work with large sets of interconnected data in the Microsoft Intelligent Security Graph and powerful artificial intelligence (AI) systems driven by advanced machine learning models. diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md index 406a5296f8..97655419cf 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Windows Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10. diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md index 1ef9d7b879..7e7820edbb 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Windows Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers. @@ -69,13 +69,13 @@ Functionality, configuration, and management is largely the same when using Wind ## Related topics -[Windows Defender AV in the Windows Security app](windows-defender-security-center-antivirus.md) -[Windows Defender AV on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md) -[Windows Defender AV compatibility](windows-defender-antivirus-compatibility.md) -[Evaluate Windows Defender AV protection](evaluate-windows-defender-antivirus.md) -[Deploy, manage updates, and report on Windows Defender AV](deploy-manage-report-windows-defender-antivirus.md) -[Configure Windows Defender AV features](configure-windows-defender-antivirus-features.md) -[Customize, initiate, and review the results of scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) -[Review event logs and error codes to troubleshoot issues](troubleshoot-windows-defender-antivirus.md) -[Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md) +- [Windows Defender AV in the Windows Security app](windows-defender-security-center-antivirus.md) +- [Windows Defender AV on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md) +- [Windows Defender AV compatibility](windows-defender-antivirus-compatibility.md) +- [Evaluate Windows Defender AV protection](evaluate-windows-defender-antivirus.md) +- [Deploy, manage updates, and report on Windows Defender AV](deploy-manage-report-windows-defender-antivirus.md) +- [Configure Windows Defender AV features](configure-windows-defender-antivirus-features.md) +- [Customize, initiate, and review the results of scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) +- [Review event logs and error codes to troubleshoot issues](troubleshoot-windows-defender-antivirus.md) +- [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md index 729d413d7f..e0ce8b36b5 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Windows Defender Antivirus is available on Windows Server 2016. In some instances it is referred to as Endpoint Protection - however, the protection engine is the same. diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md index 3304f1be1d..b705e33977 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Windows Defender Offline is an antimalware scanning tool that lets you boot and run a scan from a trusted environment. The scan runs from outside the normal Windows kernel so it can target malware that attempts to bypass the Windows shell, such as viruses and rootkits that infect or overwrite the master boot record (MBR). diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md index e296c871c2..ca5529dfa1 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) In Windows 10, version 1703 and later, the Windows Defender app is part of the Windows Security. diff --git a/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md index 026ca31daa..3579ace8b1 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md @@ -13,7 +13,7 @@ ms.date: 10/17/2017 # Configure Windows Defender Application Guard policy settings -**Applies to:** Windows Defender Advanced Threat Protection (Windows Defender ATP) +**Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Windows Defender Application Guard (Application Guard) works with Group Policy to help you manage your organization's computer settings. By using Group Policy, you can configure a setting once, and then copy it onto many computers. For example, you can set up multiple security settings in a GPO, which is linked to a domain, and then apply all those settings to every computer in the domain. diff --git a/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md index 06a0ab7b13..0c72267505 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md @@ -13,7 +13,7 @@ ms.date: 11/07/2017 # Frequently asked questions - Windows Defender Application Guard -**Applies to:** Windows Defender Advanced Threat Protection (Windows Defender ATP) +**Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Answering frequently asked questions about Windows Defender Application Guard (Application Guard) features, integration with the Windows operating system, and general configuration. diff --git a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md index 11d81398e4..bcc683e524 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md @@ -14,7 +14,7 @@ ms.date: 10/19/2017 # Prepare to install Windows Defender Application Guard **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) ## Review system requirements diff --git a/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md index e60978932b..72eb82edac 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md @@ -13,7 +13,7 @@ ms.date: 11/09/2017 # System requirements for Windows Defender Application Guard -**Applies to:** Windows Defender Advanced Threat Protection (Windows Defender ATP) +**Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. Windows Defender Application Guard is designed to help prevent old, and newly emerging attacks, to help keep employees productive. diff --git a/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md index e7f9fe2f97..511904d283 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md @@ -14,7 +14,7 @@ ms.date: 10/16/2018 # Application Guard testing scenarios -**Applies to:** Windows Defender Advanced Threat Protection (Windows Defender ATP) +**Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) We've come up with a list of scenarios that you can use to test hardware-based isolation in your organization. diff --git a/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md b/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md index de2039986d..b4f08ff71c 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md +++ b/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md @@ -13,7 +13,7 @@ ms.date: 09/07/2018 # Windows Defender Application Guard overview -**Applies to:** Windows Defender Advanced Threat Protection (Windows Defender ATP) +**Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Windows Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by rendering current attack methods obsolete. diff --git a/windows/security/threat-protection/windows-defender-atp/TOC.md b/windows/security/threat-protection/windows-defender-atp/TOC.md index d2282d4c76..7c61e006cd 100644 --- a/windows/security/threat-protection/windows-defender-atp/TOC.md +++ b/windows/security/threat-protection/windows-defender-atp/TOC.md @@ -16,7 +16,6 @@ #### [Security operations dashboard](security-operations-dashboard-windows-defender-advanced-threat-protection.md) - #### [Incidents queue](incidents-queue.md) ##### [View and organize the Incidents queue](view-incidents-queue.md) ##### [Manage incidents](manage-incidents-windows-defender-advanced-threat-protection.md) @@ -84,74 +83,7 @@ ### [Management and APIs](management-apis.md) #### [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) -#### [Supported Windows Defender ATP APIs](supported-apis-windows-defender-advanced-threat-protection.md) -#####Actor -###### [Get actor information](get-actor-information-windows-defender-advanced-threat-protection.md) -###### [Get actor related alerts](get-actor-related-alerts-windows-defender-advanced-threat-protection.md) -#####Alerts -###### [Get alerts](get-alerts-windows-defender-advanced-threat-protection.md) -###### [Get alert information by ID](get-alert-info-by-id-windows-defender-advanced-threat-protection.md) -###### [Get alert related actor information](get-alert-related-actor-info-windows-defender-advanced-threat-protection.md) -###### [Get alert related domain information](get-alert-related-domain-info-windows-defender-advanced-threat-protection.md) -###### [Get alert related file information](get-alert-related-files-info-windows-defender-advanced-threat-protection.md) -###### [Get alert related IP information](get-alert-related-ip-info-windows-defender-advanced-threat-protection.md) -###### [Get alert related machine information](get-alert-related-machine-info-windows-defender-advanced-threat-protection.md) - -#####Domain -###### [Get domain related alerts](get-domain-related-alerts-windows-defender-advanced-threat-protection.md) -###### [Get domain related machines](get-domain-related-machines-windows-defender-advanced-threat-protection.md) -###### [Get domain statistics](get-domain-statistics-windows-defender-advanced-threat-protection.md) -###### [Is domain seen in organization](is-domain-seen-in-org-windows-defender-advanced-threat-protection.md) - -#####File -###### [Block file API](block-file-windows-defender-advanced-threat-protection.md) -###### [Get file information](get-file-information-windows-defender-advanced-threat-protection.md) -###### [Get file related alerts](get-file-related-alerts-windows-defender-advanced-threat-protection.md) -###### [Get file related machines](get-file-related-machines-windows-defender-advanced-threat-protection.md) -###### [Get file statistics](get-file-statistics-windows-defender-advanced-threat-protection.md) -###### [Get FileActions collection API](get-fileactions-collection-windows-defender-advanced-threat-protection.md) -###### [Unblock file API](unblock-file-windows-defender-advanced-threat-protection.md) - -#####IP -###### [Get IP related alerts](get-ip-related-alerts-windows-defender-advanced-threat-protection.md) -###### [Get IP related machines](get-ip-related-machines-windows-defender-advanced-threat-protection.md) -###### [Get IP statistics](get-ip-statistics-windows-defender-advanced-threat-protection.md) -###### [Is IP seen in organization](is-ip-seen-org-windows-defender-advanced-threat-protection.md) -#####Machines -###### [Collect investigation package API](collect-investigation-package-windows-defender-advanced-threat-protection.md) -###### [Find machine information by IP](find-machine-info-by-ip-windows-defender-advanced-threat-protection.md) -###### [Get machines](get-machines-windows-defender-advanced-threat-protection.md) -###### [Get FileMachineAction object API](get-filemachineaction-object-windows-defender-advanced-threat-protection.md) -###### [Get FileMachineActions collection API](get-filemachineactions-collection-windows-defender-advanced-threat-protection.md) -###### [Get machine by ID](get-machine-by-id-windows-defender-advanced-threat-protection.md) -###### [Get machine log on users](get-machine-log-on-users-windows-defender-advanced-threat-protection.md) -###### [Get machine related alerts](get-machine-related-alerts-windows-defender-advanced-threat-protection.md) -###### [Get MachineAction object API](get-machineaction-object-windows-defender-advanced-threat-protection.md) -###### [Get MachineActions collection API](get-machineactions-collection-windows-defender-advanced-threat-protection.md) -###### [Get machines](get-machines-windows-defender-advanced-threat-protection.md) -###### [Get package SAS URI API](get-package-sas-uri-windows-defender-advanced-threat-protection.md) -###### [Isolate machine API](isolate-machine-windows-defender-advanced-threat-protection.md) -###### [Release machine from isolation API](unisolate-machine-windows-defender-advanced-threat-protection.md) -###### [Remove app restriction API](unrestrict-code-execution-windows-defender-advanced-threat-protection.md) -###### [Request sample API](request-sample-windows-defender-advanced-threat-protection.md) -###### [Restrict app execution API](restrict-code-execution-windows-defender-advanced-threat-protection.md) -###### [Run antivirus scan API](run-av-scan-windows-defender-advanced-threat-protection.md) -###### [Stop and quarantine file API](stop-quarantine-file-windows-defender-advanced-threat-protection.md) -#####Machines Security States -###### [Get MachineSecurityStates collection](get-machinesecuritystates-collection-windows-defender-advanced-threat-protection.md) -#####Machine Groups -###### [Get MachineGroups collection](get-machinegroups-collection-windows-defender-advanced-threat-protection.md) -#####User -###### [Get alert related user information](get-alert-related-user-info-windows-defender-advanced-threat-protection.md) -###### [Get user information](get-user-information-windows-defender-advanced-threat-protection.md) -###### [Get user related alerts](get-user-related-alerts-windows-defender-advanced-threat-protection.md) -###### [Get user related machines](get-user-related-machines-windows-defender-advanced-threat-protection.md) -#####Windows updates (KB) info -###### [Get KbInfo collection](get-kbinfo-collection-windows-defender-advanced-threat-protection.md) -#####Common Vulnerabilities and Exposures (CVE) to KB map -###### [Get CVE-KB map](get-cvekbmap-collection-windows-defender-advanced-threat-protection.md) - - +#### [Windows Defender ATP APIs](apis-intro.md) #### [Managed security service provider support](mssp-support-windows-defender-advanced-threat-protection.md) @@ -182,17 +114,19 @@ ##### [Network firewall](../windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md) #### [Evaluate next generation protection](../windows-defender-antivirus/evaluate-windows-defender-antivirus.md) -### [Access the Windows Security app](community-windows-defender-advanced-threat-protection.md) +### [Access the Windows Defender Security Center Community Center](community-windows-defender-advanced-threat-protection.md) ## [Configure and manage capabilities](onboard.md) ### [Configure attack surface reduction](configure-attack-surface-reduction.md) #### [Hardware-based isolation](../windows-defender-application-guard/install-wd-app-guard.md) ##### [Configuration settings](../windows-defender-application-guard/configure-wd-app-guard.md) #### [Application control](../windows-defender-application-control/windows-defender-application-control.md) -#### [Device control](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md) -##### [Memory integrity](../windows-defender-exploit-guard/memory-integrity.md) -###### [Hardware qualifications](../windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md) -###### [Enable HVCI](../windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md) +#### Device control +##### [Control USB devices](../device-control/control-usb-devices-using-intune.md) +##### [Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md) +###### [Memory integrity](../windows-defender-exploit-guard/memory-integrity.md) +####### [Hardware qualifications](../windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md) +####### [Enable HVCI](../windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md) #### [Exploit protection](../windows-defender-exploit-guard/enable-exploit-protection.md) ##### [Customize exploit protection](../windows-defender-exploit-guard/customize-exploit-protection.md) ##### [Import/export configurations](../windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md) @@ -290,6 +224,160 @@ ##### [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) ###### [Troubleshoot subscription and portal access issues](troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md) + +#### [Use the Windows Defender ATP exposed APIs](use-apis.md) +##### Create your app +###### [Get access on behalf of a user](exposed-apis-create-app-nativeapp.md) +###### [Get access without a user](exposed-apis-create-app-webapp.md) +##### [Supported Windows Defender ATP APIs](exposed-apis-list.md) +###### [Advanced Hunting](run-advanced-query-api.md) + +###### [Alert](alerts-windows-defender-advanced-threat-protection-new.md) +####### [List alerts](get-alerts-windows-defender-advanced-threat-protection-new.md) +####### [Create alert](create-alert-by-reference-windows-defender-advanced-threat-protection-new.md) +####### [Update Alert](update-alert-windows-defender-advanced-threat-protection-new.md) +####### [Get alert information by ID](get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md) +####### [Get alert related domains information](get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md) +####### [Get alert related file information](get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md) +####### [Get alert related IPs information](get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md) +####### [Get alert related machine information](get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md) +####### [Get alert related user information](get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md) + +###### Domain +####### [Get domain related alerts](get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md) +####### [Get domain related machines](get-domain-related-machines-windows-defender-advanced-threat-protection-new.md) +####### [Get domain statistics](get-domain-statistics-windows-defender-advanced-threat-protection-new.md) +####### [Is domain seen in organization](is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md) + +###### [File](files-windows-defender-advanced-threat-protection-new.md) +####### [Get file information](get-file-information-windows-defender-advanced-threat-protection-new.md) +####### [Get file related alerts](get-file-related-alerts-windows-defender-advanced-threat-protection-new.md) +####### [Get file related machines](get-file-related-machines-windows-defender-advanced-threat-protection-new.md) +####### [Get file statistics](get-file-statistics-windows-defender-advanced-threat-protection-new.md) + +###### IP +####### [Get IP related alerts](get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md) +####### [Get IP related machines](get-ip-related-machines-windows-defender-advanced-threat-protection-new.md) +####### [Get IP statistics](get-ip-statistics-windows-defender-advanced-threat-protection-new.md) +####### [Is IP seen in organization](is-ip-seen-org-windows-defender-advanced-threat-protection-new.md) + +###### [Machine](machine-windows-defender-advanced-threat-protection-new.md) +####### [Get machines](get-machines-windows-defender-advanced-threat-protection-new.md) +####### [Get machine by ID](get-machine-by-id-windows-defender-advanced-threat-protection-new.md) +####### [Get machine log on users](get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md) +####### [Get machine related alerts](get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md) +####### [Add or Remove machine tags](add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md) +####### [Find machines by IP](find-machines-by-ip-windows-defender-advanced-threat-protection-new.md) + +###### [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) +####### [List MachineActions](get-machineactions-collection-windows-defender-advanced-threat-protection-new.md) +####### [Get MachineAction](get-machineaction-object-windows-defender-advanced-threat-protection-new.md) +####### [Collect investigation package](collect-investigation-package-windows-defender-advanced-threat-protection-new.md) +####### [Get investigation package SAS URI](get-package-sas-uri-windows-defender-advanced-threat-protection-new.md) +####### [Isolate machine](isolate-machine-windows-defender-advanced-threat-protection-new.md) +####### [Release machine from isolation](unisolate-machine-windows-defender-advanced-threat-protection-new.md) +####### [Restrict app execution](restrict-code-execution-windows-defender-advanced-threat-protection-new.md) +####### [Remove app restriction](unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md) +####### [Run antivirus scan](run-av-scan-windows-defender-advanced-threat-protection-new.md) +####### [Offboard machine](offboard-machine-api-windows-defender-advanced-threat-protection-new.md) + + +###### [User](user-windows-defender-advanced-threat-protection-new.md) +####### [Get user related alerts](get-user-related-alerts-windows-defender-advanced-threat-protection-new.md) +####### [Get user related machines](get-user-related-machines-windows-defender-advanced-threat-protection-new.md) + +##### How to use APIs - Samples +###### Advanced Hunting API +####### [Schedule advanced Hunting using Microsoft Flow](run-advanced-query-sample-ms-flow.md) +####### [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md) +####### [Advanced Hunting using Python](run-advanced-query-sample-python.md) +####### [Create custom Power BI reports](run-advanced-query-sample-power-bi-app-token.md) +###### Multiple APIs +####### [PowerShell](exposed-apis-full-sample-powershell.md) +###### [Using OData Queries](exposed-apis-odata-samples.md) + +#### [Use the Windows Defender ATP exposed APIs (deprecated)](exposed-apis-windows-defender-advanced-threat-protection.md) +##### [Supported Windows Defender ATP APIs (deprecated)](supported-apis-windows-defender-advanced-threat-protection.md) +######Actor (deprecated) +####### [Get actor information (deprecated)](get-actor-information-windows-defender-advanced-threat-protection.md) +####### [Get actor related alerts (deprecated)](get-actor-related-alerts-windows-defender-advanced-threat-protection.md) +######Alerts (deprecated) +####### [Get alerts (deprecated)](get-alerts-windows-defender-advanced-threat-protection.md) +####### [Get alert information by ID (deprecated)](get-alert-info-by-id-windows-defender-advanced-threat-protection.md) +####### [Get alert related actor information (deprecated)](get-alert-related-actor-info-windows-defender-advanced-threat-protection.md) +####### [Get alert related domain information (deprecated)](get-alert-related-domain-info-windows-defender-advanced-threat-protection.md) +####### [Get alert related file information (deprecated)](get-alert-related-files-info-windows-defender-advanced-threat-protection.md) +####### [Get alert related IP information (deprecated)](get-alert-related-ip-info-windows-defender-advanced-threat-protection.md) +####### [Get alert related machine information (deprecated)](get-alert-related-machine-info-windows-defender-advanced-threat-protection.md) +######Domain (deprecated) +####### [Get domain related alerts (deprecated)](get-domain-related-alerts-windows-defender-advanced-threat-protection.md) +####### [Get domain related machines (deprecated)](get-domain-related-machines-windows-defender-advanced-threat-protection.md) +####### [Get domain statistics (deprecated)](get-domain-statistics-windows-defender-advanced-threat-protection.md) +####### [Is domain seen in organization (deprecated)](is-domain-seen-in-org-windows-defender-advanced-threat-protection.md) + +######File(deprecated) +####### [Block file (deprecated)](block-file-windows-defender-advanced-threat-protection.md) +####### [Get file information (deprecated)](get-file-information-windows-defender-advanced-threat-protection.md) +####### [Get file related alerts (deprecated)](get-file-related-alerts-windows-defender-advanced-threat-protection.md) +####### [Get file related machines (deprecated)](get-file-related-machines-windows-defender-advanced-threat-protection.md) +####### [Get file statistics (deprecated)](get-file-statistics-windows-defender-advanced-threat-protection.md) +####### [Get FileActions collection (deprecated)](get-fileactions-collection-windows-defender-advanced-threat-protection.md) +####### [Unblock file (deprecated)](unblock-file-windows-defender-advanced-threat-protection.md) + +######IP (deprecated) +####### [Get IP related alerts (deprecated)](get-ip-related-alerts-windows-defender-advanced-threat-protection.md) +####### [Get IP related machines (deprecated)](get-ip-related-machines-windows-defender-advanced-threat-protection.md) +####### [Get IP statistics (deprecated)](get-ip-statistics-windows-defender-advanced-threat-protection.md) +####### [Is IP seen in organization (deprecated)](is-ip-seen-org-windows-defender-advanced-threat-protection.md) +######Machines (deprecated) +####### [Collect investigation package (deprecated)](collect-investigation-package-windows-defender-advanced-threat-protection.md) +####### [Find machine information by IP (deprecated)](find-machine-info-by-ip-windows-defender-advanced-threat-protection.md) +####### [Get machines (deprecated)](get-machines-windows-defender-advanced-threat-protection.md) +####### [Get FileMachineAction object (deprecated)](get-filemachineaction-object-windows-defender-advanced-threat-protection.md) +####### [Get FileMachineActions collection (deprecated)](get-filemachineactions-collection-windows-defender-advanced-threat-protection.md) +####### [Get machine by ID (deprecated)](get-machine-by-id-windows-defender-advanced-threat-protection.md) +####### [Get machine log on users (deprecated)](get-machine-log-on-users-windows-defender-advanced-threat-protection.md) +####### [Get machine related alerts (deprecated)](get-machine-related-alerts-windows-defender-advanced-threat-protection.md) +####### [Get MachineAction object (deprecated)](get-machineaction-object-windows-defender-advanced-threat-protection.md) +####### [Get MachineActions collection (deprecated)](get-machineactions-collection-windows-defender-advanced-threat-protection.md) +####### [Get machines (deprecated)](get-machines-windows-defender-advanced-threat-protection.md) +####### [Get package SAS URI (deprecated)](get-package-sas-uri-windows-defender-advanced-threat-protection.md) +####### [Isolate machine (deprecated)](isolate-machine-windows-defender-advanced-threat-protection.md) +####### [Release machine from isolation (deprecated)](unisolate-machine-windows-defender-advanced-threat-protection.md) +####### [Remove app restriction (deprecated)](unrestrict-code-execution-windows-defender-advanced-threat-protection.md) +####### [Request sample (deprecated)](request-sample-windows-defender-advanced-threat-protection.md) +####### [Restrict app execution (deprecated)](restrict-code-execution-windows-defender-advanced-threat-protection.md) +####### [Run antivirus scan (deprecated)](run-av-scan-windows-defender-advanced-threat-protection.md) +####### [Stop and quarantine file (deprecated)](stop-quarantine-file-windows-defender-advanced-threat-protection.md) + +######User (deprecated) +####### [Get alert related user information (deprecated)](get-alert-related-user-info-windows-defender-advanced-threat-protection.md) +####### [Get user information (deprecated)](get-user-information-windows-defender-advanced-threat-protection.md) +####### [Get user related alerts (deprecated)](get-user-related-alerts-windows-defender-advanced-threat-protection.md) +####### [Get user related machines (deprecated)](get-user-related-machines-windows-defender-advanced-threat-protection.md) + + + + + + + + + + + + + + + + + + + + + + + #### API for custom alerts ##### [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md) ##### [Use the Windows Defender ATP exposed APIs](exposed-apis-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..e28bac587b --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,110 @@ +--- +title: Add or Remove Machine Tags API +description: Use this API to Add or Remove machine tags. +keywords: apis, graph api, supported apis, tags, machine tags +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Add or Remove Machine Tags API + +[!include[Prerelease information](prerelease.md)] + +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- Adds or remove tag to a specific machine. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.ReadWrite.All | 'Read and write all machine information' +Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'Manage security setting' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- User needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +POST https://api.securitycenter.windows.com/api/machines/{id}/tags +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. +Content-Type | string | application/json. **Required**. + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +Value | String | The tag name. **Required**. +Action | Enum | Add or Remove. Allowed values are: 'Add' or 'Remove'. **Required**. + + +## Response +If successful, this method returns 200 - Ok response code and the updated Machine in the response body. + + +## Example + +**Request** + +Here is an example of a request that adds machine tag. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +POST https://api.securitycenter.windows.com/api/machines/863fed4b174465c703c6e412965a31b5e1884cc4/tags +Content-type: application/json +{ + "Value" : "Test Tag", + "Action": "Add" +} + +``` +**Response** + +Here is an example of the response. + +``` +HTTP/1.1 200 Ok +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machine/$entity", + "id": "863fed4b174465c703c6e412965a31b5e1884cc4", + "computerDnsName": "mymachine55.contoso.com", + "firstSeen": "2018-07-31T14:20:55.8223496Z", + "lastSeen": "2018-09-27T08:44:05.6228836Z", + "osPlatform": "Windows10", + "osVersion": null, + "lastIpAddress": "10.248.240.38", + "lastExternalIpAddress": "167.220.2.166", + "agentVersion": "10.3720.16299.98", + "osBuild": 16299, + "healthStatus": "Active", + "isAadJoined": true, + "machineTags": [ + "Test Tag" + ], + "rbacGroupId": 75, + "riskScore": "Medium", + "aadDeviceId": null +} + +``` + +To remove machine tag, set the Action to 'Remove' instead of 'Add' in the request body. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md index f9464104e2..99fb91e493 100644 --- a/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md @@ -17,7 +17,7 @@ ms.date: 09/28/2018 # Configure advanced features in Windows Defender ATP **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedfeats-abovefoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md index d215d46fec..046e911ac9 100644 --- a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md @@ -19,7 +19,7 @@ ms.date: 04/24/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md index f12506e54b..9366ed298f 100644 --- a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md @@ -19,7 +19,7 @@ ms.date: 06/01/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) @@ -113,4 +113,4 @@ To effectively build queries that span multiple tables, you need to understand t ## Related topic - [Query data using Advanced hunting](advanced-hunting-windows-defender-advanced-threat-protection.md) -- [Advanced hunting query language best practices](/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md) \ No newline at end of file +- [Advanced hunting query language best practices](advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md index cc70b589cc..182eacc7b7 100644 --- a/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md @@ -17,7 +17,7 @@ ms.date: 04/24/2018 # View and organize the Windows Defender Advanced Threat Protection Alerts queue **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..b1cde1afaf --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,81 @@ +--- +title: Get alerts API +description: Retrieves top recent alerts. +keywords: apis, graph api, supported apis, get, alerts, recent +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Alert resource type +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + +Represents an alert entity in WDATP. + +# Methods +Method|Return Type |Description +:---|:---|:--- +[Get alert](get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md) | [Alert](alerts-windows-defender-advanced-threat-protection-new.md) | Get a single [alert](alerts-windows-defender-advanced-threat-protection-new.md) object. +[List alerts](get-alerts-windows-defender-advanced-threat-protection-new.md) | [Alert](alerts-windows-defender-advanced-threat-protection-new.md) collection | List [alert](alerts-windows-defender-advanced-threat-protection-new.md) collection. +[Create alert](create-alert-by-reference-windows-defender-advanced-threat-protection-new.md)|[Alert](alerts-windows-defender-advanced-threat-protection-new.md)|Create an alert based on event data obtained from [Advanced Hunting](run-advanced-query-api.md). +[List related domains](get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md)|Domain collection| List URLs associated with the alert. +[List related files](get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md) | [File](files-windows-defender-advanced-threat-protection-new.md) collection | List the [file](files-windows-defender-advanced-threat-protection-new.md) entities that are associated with the [alert](alerts-windows-defender-advanced-threat-protection-new.md). +[List related IPs](get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md) | IP collection | List IPs that are associated with the alert. +[Get related machines](get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md) | [Machine](machine-windows-defender-advanced-threat-protection-new.md) | The [machine](machine-windows-defender-advanced-threat-protection-new.md) that is associated with the [alert](alerts-windows-defender-advanced-threat-protection-new.md). +[Get related users](get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md) | [User](user-windows-defender-advanced-threat-protection-new.md) | The [user](user-windows-defender-advanced-threat-protection-new.md) that is associated with the [alert](alerts-windows-defender-advanced-threat-protection-new.md). + + +# Properties +Property | Type | Description +:---|:---|:--- +id | String | Alert ID +severity | String | Severity of the alert. Allowed values are: 'Low', 'Medium' and 'High'. +status | String | Specifies the current status of the alert. The property values are: 'New', 'InProgress' and 'Resolved'. +description | String | Description of the threat, identified by the alert. +recommendedAction | String | Action recommended for handling the suspected threat. +alertCreationTime | DateTimeOffset | The date and time (in UTC) the alert was created. +category| String | Category of the alert. The property values are: 'None', 'SuspiciousActivity', 'Malware', 'CredentialTheft', 'Exploit', 'WebExploit', 'DocumentExploit', 'PrivilegeEscalation', 'Persistence', 'RemoteAccessTool', 'CommandAndControl', 'SuspiciousNetworkTraffic', 'Ransomware', 'MalwareDownload', 'Reconnaissance', 'WebFingerprinting', 'Weaponization', 'Delivery', 'SocialEngineering', 'CredentialStealing', 'Installation', 'Backdoor', 'Trojan', 'TrojanDownloader', 'LateralMovement', 'ExplorationEnumeration', 'NetworkPropagation', 'Exfiltration', 'NotApplicable', 'EnterprisePolicy' and 'General'. +title | string | Alert title +threatFamilyName | string | Threat family +detectionSource | string | Detection source +assignedTo | String | Owner of the alert +classification | String | Specification of the alert. The property values are: 'Unknown', 'FalsePositive', 'TruePositive'. +determination | String | Specifies the determination of the alert. The property values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other' +resolvedTime | DateTimeOffset | The date and time in which the status of the alert was changed to 'Resolved'. +lastEventTime | DateTimeOffset | The last occurance of the event that triggered the alert on the same machine. +firstEventTime | DateTimeOffset | The first occurance of the event that triggered the alert on that machine. +machineId | String | ID of a [machine](machine-windows-defender-advanced-threat-protection-new.md) entity that is associated with the alert. + +# JSON representation +``` +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts", + "id": "636688558380765161_2136280442", + "severity": "Informational", + "status": "InProgress", + "description": "Some alert description 1", + "recommendedAction": "Some recommended action 1", + "alertCreationTime": "2018-08-03T01:17:17.9516179Z", + "category": "General", + "title": "Some alert title 1", + "threatFamilyName": null, + "detectionSource": "WindowsDefenderAtp", + "classification": "TruePositive", + "determination": null, + "assignedTo": "best secop ever", + "resolvedTime": null, + "lastEventTime": "2018-08-02T07:02:52.0894451Z", + "firstEventTime": "2018-08-02T07:02:52.0894451Z", + "actorName": null, + "machineId": "ff0c3800ed8d66738a514971cd6867166809369f" +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md index 385dfdea3a..421206a7f9 100644 --- a/windows/security/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md @@ -19,7 +19,7 @@ ms.date: 10/16/2017 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/apis-intro.md b/windows/security/threat-protection/windows-defender-atp/apis-intro.md new file mode 100644 index 0000000000..304eed3564 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/apis-intro.md @@ -0,0 +1,57 @@ +--- +title: Windows Defender Advanced Threat Protection API overview +description: Learn how you can use APIs to automate workflows and innovate based on Windows Defender ATP capabilities +keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file, advanced hunting, query +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 09/03/2018 +--- + +# Windows Defender ATP API overview + +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Prerelease information](prerelease.md)] + +Windows Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Windows Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code). + +In general, you’ll need to take the following steps to use the APIs: +- Create an app +- Get an access token +- Use the token to access Windows Defender ATP API + + +As a developer, you decide which permissions for Windows Defender ATP your app requests. When a user signs in to your app they (or, in some cases, an administrator) are given a chance to give consent to these permissions. If the user provides consent, your app is given access to the resources and APIs that it has requested. For apps that don't take a signed-in user, permissions can be pre-approved to by an administrator when the app is installed or during sign-up. + +## Delegated permissions, application permissions, and effective permissions + +Windows Defender ATP has two types of permissions: delegated permissions and application permissions. + +- **Delegated permissions**
      + Used by apps that have a signed-in user present. For these apps either the user or an administrator provides consent to the permissions that the app requests and the app is delegated permission to act as the signed-in user when making calls to Windows Defender ATP. Some delegated permissions can be consented to by non-administrative users, but some higher-privileged permissions require administrator consent. +- **Application permissions**
      + Used by apps that run without a signed-in user present; for example, apps that run as background services or daemons. Application permissions can only be consented by an administrator. + +Effective permissions are permissions that your app will have when making requests to Windows Defender ATP. It is important to understand the difference between the delegated and application permissions that your app is granted and its effective permissions when making calls to Windows Defender ATP. + +- For delegated permissions, the effective permissions of your app will be the least privileged intersection of the delegated permissions the app has been granted (via consent) and the privileges of the currently signed-in user. Your app can never have more privileges than the signed-in user. Within organizations, the privileges of the signed-in user may be determined by policy or by membership in one or more administrator roles. For more information about administrator roles, see [Assigning administrator roles in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-assign-admin-roles). + + For example, assume your app has been granted the `Machine.CollectForensics` delegated permission. This permission nominally grants your app permission to collect investigation package from a machine. If the signed-in user has 'Alerts Investigation' permission, your app will be able to collect investigation package from a machine, if the machine belongs to a group the user is exposed to. However, if the signed-in user doesn't have 'Alerts Investigation' permission, your app won't be able to collect investigation package from any machine. + +- For application permissions, the effective permissions of your app will be the full level of privileges implied by the permission. For example, an app that has the `Machine.CollectForensics` application permission can collect investigation package from any machine in the organization. + + +## Related topics +- [Supported Windows Defender ATP APIs](exposed-apis-list.md) +- [Access Windows Defender ATP without a user](exposed-apis-create-app-webapp.md) +- [Access Windows Defender ATP on behalf of a user](exposed-apis-create-app-nativeapp.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md index 0bd1a15c11..700bbaef2b 100644 --- a/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md @@ -19,7 +19,7 @@ ms.date: 09/03/2018 **Applies to:** - Azure Active Directory - Office 365 -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-assignaccess-abovefoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md index ab1b1ae399..f54267ebfe 100644 --- a/windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md @@ -19,7 +19,7 @@ ms.date: 28/02/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/basic-permissions-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/basic-permissions-windows-defender-advanced-threat-protection.md index 9835695e87..f5f0d320e5 100644 --- a/windows/security/threat-protection/windows-defender-atp/basic-permissions-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/basic-permissions-windows-defender-advanced-threat-protection.md @@ -11,14 +11,14 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 09/13/2018 +ms.date: 11/09/2018 --- # Use basic permissions to access the portal **Applies to:** - Azure Active Directory -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-basicaccess-abovefoldlink) @@ -79,9 +79,10 @@ For more information see, [Manage Azure AD group and role membership](https://te 6. Select **Manage** > **Directory role**. -7. Under **Directory role**, select **Limited administrator**, then **Security Reader** or **Security Administrator**. +7. Select **Add role** and choose the role you'd like to assign, then click **Select**. - ![Image of Microsoft Azure portal](images/atp-azure-ui-user-access.png) + + ![Image of Microsoft Azure portal](images/atp-azure-assign-role.png) ## Related topic - [Manage portal access using RBAC](rbac-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md index 077304ed7f..64f4c8d321 100644 --- a/windows/security/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md @@ -14,12 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Block file API +# Block file API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecatedinformation](deprecate.md)] Prevent a file from being executed in the organization using Windows Defender Antivirus. diff --git a/windows/security/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md index c2b79d845d..4b525298cf 100644 --- a/windows/security/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md @@ -17,7 +17,7 @@ ms.date: 04/24/2018 # Check sensor health state in Windows Defender ATP **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..bcd6861b37 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,98 @@ +--- +title: Collect investigation package API +description: Use this API to create calls related to the collecting an investigation package from a machine. +keywords: apis, graph api, supported apis, collect investigation package +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Collect investigation package API +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + +Collect investigation package from a machine. + +[!include[Machine actions note](machineactionsnote.md)] + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.CollectForensics | 'Collect forensics' +Delegated (work or school account) | Machine.CollectForensics | 'Collect forensics' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'Alerts Investigation' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +POST https://api.securitycenter.windows.com/api/machines/{id}/collectInvestigationPackage +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. +Content-Type | string | application/json. **Required**. + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +Comment | String | Comment to associate with the action. **Required**. + +## Response +If successful, this method returns 201 - Created response code and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) in the response body. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +POST https://api.securitycenter.windows.com/api/machines/fb9ab6be3965095a09c057be7c90f0a2/collectInvestigationPackage +Content-type: application/json +{ + "Comment": "Collect forensics due to alert 1234" +} +``` + +**Response** + +Here is an example of the response. + +``` +HTTP/1.1 201 Created +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity", + "id": "c9042f9b-8483-4526-87b5-35e4c2532223", + "type": "CollectInvestigationPackage", + "requestor": "Analyst@contoso.com", + "requestorComment": " Collect forensics due to alert 1234", + "status": "InProgress", + "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f", + "creationDateTimeUtc": "2018-12-04T12:09:24.1785079Z", + "lastUpdateTimeUtc": "2018-12-04T12:09:24.1785079Z", + "relatedFileInfo": null +} + +``` diff --git a/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md index 278068d40a..74df3d6aa3 100644 --- a/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md @@ -14,13 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Collect investigation package API +# Collect investigation package API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecatedinformation](deprecate.md)] Collect investigation package from a machine. diff --git a/windows/security/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection.md index 4221621c34..4561797028 100644 --- a/windows/security/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection.md @@ -18,7 +18,7 @@ ms.date: 04/24/2018 # Access the Windows Defender ATP Community Center **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md index 72d6473f97..4e24ca1381 100644 --- a/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md @@ -17,7 +17,7 @@ ms.date: 04/24/2018 # Enable conditional access to better protect users, devices, and data **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md index fabaf74f07..b3d5cbfb91 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md @@ -19,7 +19,7 @@ ms.date: 10/16/2017 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-conditional-access-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-conditional-access-windows-defender-advanced-threat-protection.md index eae78c84fa..2c223e0718 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-conditional-access-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-conditional-access-windows-defender-advanced-threat-protection.md @@ -16,7 +16,7 @@ ms.date: 09/03/2018 # Configure conditional access in Windows Defender ATP **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) This section guides you through all the steps you need to take to properly implement conditional access. diff --git a/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md index 16d4c73d26..94c5bfc2d5 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md @@ -17,7 +17,7 @@ ms.date: 10/08/2018 # Configure alert notifications in Windows Defender ATP **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-emailconfig-abovefoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md index 3ca88add4f..9b791272a5 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md @@ -20,7 +20,7 @@ ms.date: 04/24/2018 - Group Policy -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md index 25afed579f..e0c41580fa 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md @@ -19,7 +19,7 @@ ms.date: 09/19/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsmdm-abovefoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md index e5fa2adf95..3702b187d3 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md @@ -19,7 +19,7 @@ ms.date: 10/03/2018 - macOS - Linux -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-nonwindows-abovefoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md index 6758d81fd7..707a5887a8 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md @@ -19,7 +19,7 @@ ms.date: 04/24/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) - System Center 2012 Configuration Manager or later versions diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md index 04ac622d7d..69bb28ccaa 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md @@ -19,7 +19,7 @@ ms.date: 04/24/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md index 8a41625b88..8371836083 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md @@ -19,7 +19,7 @@ ms.date: 07/12/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-mssp-support-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-mssp-support-windows-defender-advanced-threat-protection.md index 1dfed290f7..cbff3e3945 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-mssp-support-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-mssp-support-windows-defender-advanced-threat-protection.md @@ -17,7 +17,7 @@ ms.date: 09/03/2018 # Configure managed security service provider integration **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-mssp-support-abovefoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md index 4b2c89021e..2609656756 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md @@ -11,14 +11,14 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 09/12/2018 +ms.date: 11/14/2018 --- # Configure machine proxy and Internet connectivity settings **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) @@ -98,8 +98,28 @@ United Kingdom | ```uk.vortex-win.data.microsoft.com```
      ```uk-v20.events.dat United States | ```us.vortex-win.data.microsoft.com```
      ```us-v20.events.data.microsoft.com```
      ```winatp-gw-cus.microsoft.com```
      ```winatp-gw-eus.microsoft.com``` + If a proxy or firewall is blocking anonymous traffic, as Windows Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the above listed URLs. +## Windows Defender ATP service backend IP range +If you network devices don't support the URLs white-listed in the prior section, you can use the following information. + +Windows Defender ATP is built on Azure cloud, deployed in the following regions: + +- \+\ +- \+\ +- \+\ +- \+\ +- \+\ +- \+\ +- \+\ + + +You can find the Azure IP range on [Microsoft Azure Datacenter IP Ranges](https://www.microsoft.com/en-us/download/details.aspx?id=41653). + +>[!NOTE] +> As a cloud-based solution, the IP range can change. It's recommended you move to DNS resolving setting. + ## Verify client connectivity to Windows Defender ATP service URLs diff --git a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md index eab2954c47..32cc18106d 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.sitesec: library ms.pagetype: security author: mjcaparas ms.localizationpriority: medium -ms.date: 10/09/2018 +ms.date: 11/02/2018 --- # Onboard servers to the Windows Defender ATP service @@ -21,7 +21,7 @@ ms.date: 10/09/2018 - Windows Server 2016 - Windows Server, version 1803 - Windows Server, 2019 -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) [!include[Prerelease information](prerelease.md)] @@ -44,6 +44,10 @@ For a practical guidance on what needs to be in place for licensing and infrastr To onboard Windows Server 2012 R2 and Windows Server 2016 to Windows Defender ATP, you’ll need to: - For Windows Server 2012 R2: Configure and update System Center Endpoint Protection clients. + + >[!NOTE] + >This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2012 R2. + - Turn on server monitoring from Windows Defender Security Center. - If you're already leveraging System Center Operations Manager (SCOM) or Operations Management Suite (OMS), simply attach the Microsoft Monitoring Agent (MMA) to report to your Windows Defender ATP workspace through [Multi Homing support](https://blogs.technet.microsoft.com/msoms/2016/05/26/oms-log-analytics-agent-multi-homing-support/). Otherwise, install and configure MMA to report sensor data to Windows Defender ATP as instructed below. diff --git a/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md index 84bdc39057..e2c82a3cc0 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md @@ -19,7 +19,7 @@ ms.date: 10/16/2017 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configuresiem-abovefoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md index b9cd80ca8b..09b8cf9087 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md @@ -19,7 +19,7 @@ ms.date: 10/16/2017 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..53054cc36b --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,93 @@ +--- +title: Create alert from event API +description: Creates an alert using event details +keywords: apis, graph api, supported apis, get, alert, information, id +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Create alert from event API +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + +[!include[Prereleaseinformation](prerelease.md)] + + +Enables using event data, as obtained from the [Advanced Hunting](run-advanced-query-api.md) for creating a new alert entity. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Alerts.ReadWrite.All | 'Read and write all alerts' +Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'Alerts investigation' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +POST https://api.securitycenter.windows.com/api/CreateAlertByReference +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. +Content-Type | String | application/json. **Required**. + +## Request body +In the request body, supply the following values (all are required): + +Property | Type | Description +:---|:---|:--- +machineId | String | Id of the machine on which the event was identified. **Required**. +severity | String | Severity of the alert. The property values are: 'Low', 'Medium' and 'High'. **Required**. +title | String | Title for the alert. **Required**. +description | String | Description of the alert. **Required**. +recommendedAction| String | Action that is recommended to be taken by security officer when analyzing the alert. +eventTime | DateTime(UTC) | The time of the event, as obtained from the advanced query. **Required**. +reportId | String | The reportId, as obtained from the advanced query. **Required**. +category| String | Category of the alert. The property values are: 'None', 'SuspiciousActivity', 'Malware', 'CredentialTheft', 'Exploit', 'WebExploit', 'DocumentExploit', 'PrivilegeEscalation', 'Persistence', 'RemoteAccessTool', 'CommandAndControl', 'SuspiciousNetworkTraffic', 'Ransomware', 'MalwareDownload', 'Reconnaissance', 'WebFingerprinting', 'Weaponization', 'Delivery', 'SocialEngineering', 'CredentialStealing', 'Installation', 'Backdoor', 'Trojan', 'TrojanDownloader', 'LateralMovement', 'ExplorationEnumeration', 'NetworkPropagation', 'Exfiltration', 'NotApplicable', 'EnterprisePolicy' and 'General'. + + +## Response +If successful, this method returns 200 OK, and a new [alert](alerts-windows-defender-advanced-threat-protection-new.md) object in the response body. If event with the specified properties (_reportId_, _eventTime_ and _machineId_) was not found - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +POST https://api.securitycenter.windows.com/api/CreateAlertByReference +Content-Length: application/json + +{ + "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "severity": "Low", + "title": "test alert", + "description": "redalert", + "recommendedAction": "white alert", + "eventTime": "2018-08-03T16:45:21.7115183Z", + "reportId": "20776", + "category": "None" +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/windows-defender-atp/custom-detection-rules.md index 2d717ef457..60545d5706 100644 --- a/windows/security/threat-protection/windows-defender-atp/custom-detection-rules.md +++ b/windows/security/threat-protection/windows-defender-atp/custom-detection-rules.md @@ -11,15 +11,14 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 09/03/2018 +ms.date: 10/29/2018 --- # Create custom detections rules **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) -[!include[Prereleaseinformation](prerelease.md)] 1. In the navigation pane, select **Advanced hunting**. diff --git a/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md index 6f9e0fb968..67591e6f98 100644 --- a/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md @@ -19,7 +19,7 @@ ms.date: 04/24/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) @@ -187,7 +187,6 @@ The API currently supports the following IOC types: - Sha1 - Sha256 - Md5 -- FileName - IpAddress - DomainName diff --git a/windows/security/threat-protection/windows-defender-atp/data-retention-settings-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/data-retention-settings-windows-defender-advanced-threat-protection.md index 44863a8a91..0232707da6 100644 --- a/windows/security/threat-protection/windows-defender-atp/data-retention-settings-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/data-retention-settings-windows-defender-advanced-threat-protection.md @@ -18,7 +18,7 @@ ms.date: 04/24/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md index d06e1d8c9d..c2a6e3f9c3 100644 --- a/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md @@ -17,7 +17,7 @@ ms.date: 09/07/2018 # Windows Defender ATP data storage and privacy **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md index ece3b28679..420fba6b8f 100644 --- a/windows/security/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md @@ -20,7 +20,7 @@ ms.date: 04/24/2018 - Windows Defender -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..b0d3efb765 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,77 @@ +--- +title: Delete Ti Indicator. +description: Deletes Ti Indicator entity by ID. +keywords: apis, public api, supported apis, delete, ti indicator, entity, id +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Delete TI Indicator API + +[!include[Prereleaseinformation](prerelease.md)] + +>[!Note] +> Currently this API is supported only for AppOnly context requests. (See [Get access without a user](exposed-apis-create-app-webapp.md) for more information) + + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) +Retrieves a TI Indicator entity by ID. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Ti.ReadWrite | 'Read and write TI Indicators' + + +## HTTP request +``` +Delete https://api.securitycenter.windows.com/api/tiindicators/{id} +``` + +[!include[Improve request performance](improverequestperformance-new.md)] + + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If TI Indicator exist and deleted successfully - 204 OK without content. +If TI Indicator with the specified id was not found - 404 Not Found. + +## Example + +**Request** + +Here is an example of the request. + +``` +DELETE https://api.securitycenter.windows.com/api/tiindicators/220e7d15b0b3d7fac48f2bd61114db1022197f7f +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 204 NO CONTENT + +``` diff --git a/windows/security/threat-protection/windows-defender-atp/deprecate.md b/windows/security/threat-protection/windows-defender-atp/deprecate.md new file mode 100644 index 0000000000..fe73a4d416 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/deprecate.md @@ -0,0 +1,7 @@ +--- +ms.date: 10/17/2018 +--- +>[!WARNING] + + +> This page documents a feature that will soon be deprecated. For the updated and supported version, see [Use the Windows Defender ATP APIs](use-apis.md). \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md index 1010fe1684..f13739ad9c 100644 --- a/windows/security/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md @@ -19,7 +19,7 @@ ms.date: 04/24/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md index 1e416dcaa7..e88f1959d0 100644 --- a/windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md @@ -19,7 +19,7 @@ ms.date: 04/24/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md index d160ae5c3a..fbe3783a63 100644 --- a/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md @@ -17,7 +17,7 @@ ms.date: 10/08/2018 # Enable SIEM integration in Windows Defender ATP **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/evaluate-atp.md b/windows/security/threat-protection/windows-defender-atp/evaluate-atp.md index 439774a08a..3422e6cbff 100644 --- a/windows/security/threat-protection/windows-defender-atp/evaluate-atp.md +++ b/windows/security/threat-protection/windows-defender-atp/evaluate-atp.md @@ -15,7 +15,7 @@ ms.date: 08/10/2018 --- # Evaluate Windows Defender ATP -Windows Defender Advanced Threat Protection (Windows Defender ATP) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. +[Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. You can evaluate Windows Defender Advanced Threat Protection in your organization by [starting your free trial](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp). diff --git a/windows/security/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md index 4f2681cf36..7d43f2c2a2 100644 --- a/windows/security/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md @@ -21,7 +21,7 @@ ms.date: 05/21/2018 - Event Viewer -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md index e0399dc1d9..8aeb2539ee 100644 --- a/windows/security/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md @@ -19,7 +19,7 @@ ms.date: 11/09/2017 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-nativeapp.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-nativeapp.md new file mode 100644 index 0000000000..679dc47866 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-nativeapp.md @@ -0,0 +1,175 @@ +--- +title: Use Windows Defender Advanced Threat Protection APIs +description: Use the exposed data and actions using a set of progammatic APIs that are part of the Microsoft Intelligence Security Graph. +keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file, advanced hunting, query +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 09/03/2018 +--- + +# Use Windows Defender ATP APIs + +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + + +[!include[Prerelease information](prerelease.md)] + + +This page describe how to create an application to get programmatical access to Windows Defender ATP on behalf of a user. + +If you need programmatical access Windows Defender ATP without a user, refer to [Access Windows Defender ATP without a user](exposed-apis-create-app-webapp.md). + +If you are not sure which access you need, read the [Introduction page](apis-intro.md). + +Windows Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Windows Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code). + +In general, you’ll need to take the following steps to use the APIs: +- Create an app +- Get an access token +- Use the token to access Windows Defender ATP API + +This page explains how to create an app, get an access token to Windows Defender ATP and validate the token includes the required permission. + +>[!NOTE] +> When accessing Windows Defender ATP API on behalf of a user, you will need the correct app permission and user permission. +> If you are not familiar with user permissions on Windows Defender ATP, see [Manage portal access using role-based access control](rbac-windows-defender-advanced-threat-protection.md). + +>[!TIP] +> If you have the permission to perform an action in the portal, you have the permission to perform the action in the API. + +## Create an app + +1. Log on to [Azure](https://portal.azure.com). + +2. Navigate to **Azure Active Directory** > **App registrations** > **New application registration**. + + ![Image of Microsoft Azure and navigation to application registration](images/atp-azure-new-app.png) + +3. In the Create window, enter the following information then click **Create**. + + ![Image of Create application window](images/nativeapp-create.png) + + - **Name:** -Your app name- + - **Application type:** Native + - **Redirect URI:** `https://127.0.0.1` + + +4. Click **Settings** > **Required permissions** > **Add**. + + ![Image of new app in Azure](images/nativeapp-add-permission.png) + +5. Click **Select an API** > **WindowsDefenderATP**, then click **Select**. + + **Note**: WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear. + + ![Image of API access and API selection](images/webapp-add-permission-2.png) + +6. Click **Select permissions** > check **Read alerts** and **Collect forensics** > **Select**. + + >[!IMPORTANT] + >You need to select the relevant permissions. 'Read alerts' and 'Collect forensics' are only an example. + + ![Image of select permissions](images/nativeapp-select-permissions.png) + + For instance, + + - To [run advanced queries](run-advanced-query-api.md), select 'Run advanced queries' permission + - To [isolate a machine](isolate-machine-windows-defender-advanced-threat-protection-new.md), select 'Isolate machine' permission + + To determine which permission you need, look at the **Permissions** section in the API you are interested to call. + + +7. Click **Done** + + ![Image of add permissions completion](images/nativeapp-add-permissions-end.png) + +8. Click **Grant permissions** + + In order to add the new selected permissions to the app, the Admin's tenant must press on the **Grant permissions** button. + + If in the future you will want to add more permission to the app, you will need to press on the **Grant permissions** button again so the changes will take effect. + + ![Image of Grant permissions](images/webapp-grant-permissions.png) + +9. Write down your application ID. + + ![Image of app ID](images/nativeapp-get-appid.png) + + +## Get an access token + +For more details on AAD token, refer to [AAD tutorial](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds) + +### Using C# + +The code was below tested with nuget Microsoft.IdentityModel.Clients.ActiveDirectory 3.19.8 + +- Create a new Console Application +- Install Nuget [Microsoft.IdentityModel.Clients.ActiveDirectory](https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory/) +- Add the below using + + ``` + using Microsoft.IdentityModel.Clients.ActiveDirectory; + ``` + +- Copy/Paste the below code in your application (pay attention to the comments in the code) + + ``` + const string authority = "https://login.windows.net"; + const string wdatpResourceId = "https://api.securitycenter.windows.com"; + + string tenantId = "00000000-0000-0000-0000-000000000000"; // Paste your own tenant ID here + string appId = "11111111-1111-1111-1111-111111111111"; // Paste your own app ID here + + string username = "SecurityAdmin123@microsoft.com"; // Paste your username here + string password = GetPasswordFromSafePlace(); // Paste your own password here for a test, and then store it in a safe place! + + UserPasswordCredential userCreds = new UserPasswordCredential(username, password); + + AuthenticationContext auth = new AuthenticationContext($"{authority}/{tenantId}"); + AuthenticationResult authenticationResult = auth.AcquireTokenAsync(wdatpResourceId, appId, userCreds).GetAwaiter().GetResult(); + string token = authenticationResult.AccessToken; + ``` + +## Validate the token + +Sanity check to make sure you got a correct token: +- Copy/paste into [JWT](https://jwt.ms) the token you get in the previous step in order to decode it +- Validate you get a 'scp' claim with the desired app permissions +- In the screenshot below you can see a decoded token acquired from the app in the tutorial: + +![Image of token validation](images/nativeapp-decoded-token.png) + +## Use the token to access Windows Defender ATP API + +- Choose the API you want to use - [Supported Windows Defender ATP APIs](exposed-apis-list.md) +- Set the Authorization header in the HTTP request you send to "Bearer {token}" (Bearer is the Authorization scheme) +- The Expiration time of the token is 1 hour (you can send more then one request with the same token) + +- Example of sending a request to get a list of alerts **using C#** + ``` + var httpClient = new HttpClient(); + + var request = new HttpRequestMessage(HttpMethod.Get, "https://api.securitycenter.windows.com/api/alerts"); + + request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token); + + var response = await httpClient.SendAsync(request).ConfigureAwait(false); + + // Do something useful with the response + ``` + +## Related topics +- [Windows Defender ATP APIs](apis-intro.md) +- [Supported Windows Defender ATP APIs](exposed-apis-list.md) +- [Access Windows Defender ATP without a user](exposed-apis-create-app-webapp.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-webapp.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-webapp.md new file mode 100644 index 0000000000..ca0153916b --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-webapp.md @@ -0,0 +1,220 @@ +--- +title: Create an app to access Windows Defender ATP without a user +description: Use the exposed data and actions using a set of progammatic APIs that are part of the Microsoft Intelligence Security Graph. +keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file, advanced hunting, query +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 09/03/2018 +--- + +# Create an app to access Windows Defender ATP without a user + +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Prerelease information](prerelease.md)] + +This page describes how to create an application to get programmatical access to Windows Defender ATP without a user. + +If you need programmatical access Windows Defender ATP on behalf of a user, see [Access Windows Defender ATP on behalf of a user](exposed-apis-create-app-nativeapp.md) + +If you are not sure which access you need, see [Use Windows Defender ATP APIs](apis-intro.md). + +Windows Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will help you automate workflows and innovate based on Windows Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code). + +In general, you’ll need to take the following steps to use the APIs: +- Create an app +- Get an access token +- Use the token to access Windows Defender ATP API + +This page explains how to create an app, get an access token to Windows Defender ATP and validate the token includes the required permission. + +## Create an app + +1. Log on to [Azure](https://portal.azure.com). + +2. Navigate to **Azure Active Directory** > **App registrations** > **New application registration**. + + ![Image of Microsoft Azure and navigation to application registration](images/atp-azure-new-app.png) + +3. In the Create window, enter the following information then click **Create**. + + ![Image of Create application window](images/webapp-create.png) + + - **Name:** WdatpEcosystemPartner + - **Application type:** Web app / API + - **Redirect URI:** `https://WdatpEcosystemPartner.com` (The URL where user can sign in and use your app. You can change this URL later.) + + +4. Click **Settings** > **Required permissions** > **Add**. + + ![Image of new app in Azure](images/webapp-add-permission.png) + +5. Click **Select an API** > **WindowsDefenderATP**, then click **Select**. + + **Note**: WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear. + + ![Image of API access and API selection](images/webapp-add-permission-2.png) + +6. Click **Select permissions** > **Run advanced queries** > **Select**. + + **Important note**: You need to select the relevant permission. 'Run advanced queries' is only an example! + + ![Image of select permissions](images/webapp-select-permission.png) + + For instance, + + - To [run advanced queries](run-advanced-query-api.md), select 'Run advanced queries' permission + - To [isolate a machine](isolate-machine-windows-defender-advanced-threat-protection-new.md), select 'Isolate machine' permission + + To determine which permission you need, please look at the **Permissions** section in the API you are interested to call. + +7. Click **Done** + + ![Image of add permissions completion](images/webapp-add-permission-end.png) + +8. Click **Grant permissions** + + In order to add the new selected permissions to the app, the Admin's tenant must press on the **Grant permissions** button. + + If in the future you will want to add more permission to the app, you will need to press on the **Grant permissions** button again so the changes will take effect. + + ![Image of Grant permissions](images/webapp-grant-permissions.png) + +9. Click **Keys** and type a key name and click **Save**. + + **Important**: After you save, **copy the key value**. You won't be able to retrieve after you leave! + + ![Image of create app key](images/webapp-create-key.png) + +10. Write down your application ID. + + ![Image of app ID](images/webapp-get-appid.png) + +11. Set your application to be multi-tenanted + + This is **required** for 3rd party apps (for example, if you create an application that is intended to run in multiple customers tenant). + + This is **not required** if you create a service that you want to run in your tenant only (for example, if you create an application for your own usage that will only interact with your own data)​ + + Click **Properties** > **Yes** > **Save**. + + ![Image of multi tenant](images/webapp-edit-multitenant.png) + + +## Application consent +You need your application to be approved in each tenant where you intend to use it. This is because your application interacts with WDATP application on behalf of your customer. + +You (or your customer if you are writing a 3rd party application) need to click the consent link and approve your application. The consent should be done with a user who has admin privileges in the active directory. + +Consent link is of the form: + +``` +https://login.microsoftonline.com/common/oauth2/authorize?prompt=consent&client_id=00000000-0000-0000-0000-000000000000&response_type=code&sso_reload=true​ +``` + +where 00000000-0000-0000-0000-000000000000​ should be replaced with your Azure application ID + + +## Get an access token + +For more details on AAD token, refer to [AAD tutorial](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds) + +### Using C# + +>The below code was tested with nuget Microsoft.IdentityModel.Clients.ActiveDirectory 3.19.8 + +- Create a new Console Application +- Install Nuget [Microsoft.IdentityModel.Clients.ActiveDirectory](https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory/) +- Add the below using + + ``` + using Microsoft.IdentityModel.Clients.ActiveDirectory; + ``` + +- Copy/Paste the below code in your application (do not forget to update the 3 variables: ```tenantId, appId, appSecret```) + + ``` + string tenantId = "00000000-0000-0000-0000-000000000000"; // Paste your own tenant ID here + string appId = "11111111-1111-1111-1111-111111111111"; // Paste your own app ID here + string appSecret = "22222222-2222-2222-2222-222222222222"; // Paste your own app secret here for a test, and then store it in a safe place! + + const string authority = "https://login.windows.net"; + const string wdatpResourceId = "https://api.securitycenter.windows.com"; + + AuthenticationContext auth = new AuthenticationContext($"{authority}/{tenantId}/"); + ClientCredential clientCredential = new ClientCredential(appId, appSecret); + AuthenticationResult authenticationResult = auth.AcquireTokenAsync(wdatpResourceId, clientCredential).GetAwaiter().GetResult(); + string token = authenticationResult.AccessToken; + ``` + +### Using PowerShell + +Refer to [Get token using PowerShell](run-advanced-query-sample-powershell.md#get-token) + +### Using Python + +Refer to [Get token using Python](run-advanced-query-sample-python.md#get-token) + +### Using Curl + +> [!NOTE] +> The below procedure supposed Curl for Windows is already installed on your computer + +- Open a command window +- ​Set CLIENT_ID to your Azure application ID +- Set CLIENT_SECRET to your Azure application secret +- Set TENANT_ID to the Azure tenant ID of the customer that wants to use your application to access WDATP application +- Run the below command: + +``` +curl -i -X POST -H "Content-Type:application/x-www-form-urlencoded" -d "grant_type=client_credentials" -d "client_id=%CLIENT_ID%" -d "scope=https://securitycenter.onmicrosoft.com/windowsatpservice​/.default" -d "client_secret=%CLIENT_SECRET%" "https://login.microsoftonline.com/%TENANT_ID​%/oauth2/v2.0/token" -k​ +``` + +You will get an answer of the form: + +``` +{"token_type":"Bearer","expires_in":3599,"ext_expires_in":0,"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIn aWReH7P0s0tjTBX8wGWqJUdDA"} +``` + +## Validate the token + +Sanity check to make sure you got a correct token: +- Copy/paste into [JWT](https://jwt.ms) the token you get in the previous step in order to decode it +- Validate you get a 'roles' claim with the desired permissions +- In the screenshot below you can see a decoded token acquired from an app with permissions to all of Wdatp's roles: + +![Image of token validation](images/webapp-decoded-token.png) + +## Use the token to access Windows Defender ATP API + +- Choose the API you want to use, for more information, see [Supported Windows Defender ATP APIs](exposed-apis-list.md) +- Set the Authorization header in the Http request you send to "Bearer {token}" (Bearer is the Authorization scheme) +- The Expiration time of the token is 1 hour (you can send more then one request with the same token) + +- Example of sending a request to get a list of alerts **using C#** + ``` + var httpClient = new HttpClient(); + + var request = new HttpRequestMessage(HttpMethod.Get, "https://api.securitycenter.windows.com/api/alerts"); + + request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token); + + var response = await httpClient.SendAsync(request).ConfigureAwait(false); + + // Do something useful with the response + ``` + +## Related topics +- [Windows Defender ATP APIs](apis-intro.md) +- [Supported Windows Defender ATP APIs](exposed-apis-list.md) +- [Access Windows Defender ATP on behalf of a user](exposed-apis-create-app-nativeapp.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-full-sample-powershell.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-full-sample-powershell.md new file mode 100644 index 0000000000..5c554d4040 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-full-sample-powershell.md @@ -0,0 +1,118 @@ +--- +title: Advanced Hunting API +description: Use this API to run advanced queries +keywords: apis, supported apis, advanced hunting, query +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 09/24/2018 +--- + +# Windows Defender ATP APIs using PowerShell +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prerelease information](prerelease.md)] + + +Full scenario using multiple APIs from Windows Defender ATP. + +In this section we share PowerShell samples to + - Retrieve a token + - Use token to retrieve the latest alerts in Windows Defender ATP + - For each alert, if the alert has medium or high priority and is still in progress, check how many times the machine has connected to suspicious URL. + +>**Prerequisite**: You first need to [create an app](apis-intro.md). + +## Preparation Instructions + +- Open a PowerShell window. +- If your policy does not allow you to run the PowerShell commands, you can run the below command: +``` +Set-ExecutionPolicy -ExecutionPolicy Bypass +``` + +>For more details, refer to [PowerShell documentation](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy) + +## Get token + +- Run the below + +> - $tenantId: ID of the tenant on behalf of which you want to run the query (i.e., the query will be run on the data of this tenant) +> - $appId: ID of your AAD app (the app must have 'Run advanced queries' permission to WDATP) +> - $appSecret: Secret of your AAD app +> - $suspiciousUrl: The URL + + +``` +$tenantId = '00000000-0000-0000-0000-000000000000' # Paste your own tenant ID here +$appId = '11111111-1111-1111-1111-111111111111' # Paste your own app ID here +$appSecret = '22222222-2222-2222-2222-222222222222' # Paste your own app secret here +$suspiciousUrl = 'www.suspiciousUrl.com' # Paste your own URL here + +$resourceAppIdUri = 'https://securitycenter.onmicrosoft.com/windowsatpservice' +$oAuthUri = "https://login.windows.net/$TenantId/oauth2/token" +$authBody = [Ordered] @{ + resource = "$resourceAppIdUri" + client_id = "$appId" + client_secret = "$appSecret" + grant_type = 'client_credentials' +} +$authResponse = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $authBody -ErrorAction Stop +$aadToken = $authResponse.access_token + + +#Get latest alert +$alertUrl = "https://api.securitycenter.windows.com/api/alerts?`$top=10" +$headers = @{ + 'Content-Type' = 'application/json' + Accept = 'application/json' + Authorization = "Bearer $aadToken" +} +$alertResponse = Invoke-WebRequest -Method Get -Uri $alertUrl -Headers $headers -ErrorAction Stop +$alerts = ($alertResponse | ConvertFrom-Json).value + +$machinesToInvestigate = New-Object System.Collections.ArrayList + +Foreach($alert in $alerts) +{ + #echo $alert.id $alert.machineId $alert.severity $alert.status + + $isSevereAlert = $alert.severity -in 'Medium', 'High' + $isOpenAlert = $alert.status -in 'InProgress', 'New' + if($isOpenAlert -and $isSevereAlert) + { + if (-not $machinesToInvestigate.Contains($alert.machineId)) + { + $machinesToInvestigate.Add($alert.machineId) > $null + } + } +} + +$commaSeparatedMachines = '"{0}"' -f ($machinesToInvestigate -join '","') + +$query = "NetworkCommunicationEvents +| where MachineId in ($commaSeparatedMachines) +| where RemoteUrl == `"$suspiciousUrl`" +| summarize ConnectionsCount = count() by MachineId" + +$queryUrl = "https://api.securitycenter.windows.com/api/advancedqueries/run" + +$queryBody = ConvertTo-Json -InputObject @{ 'Query' = $query } +$queryResponse = Invoke-WebRequest -Method Post -Uri $queryUrl -Headers $headers -Body $queryBody -ErrorAction Stop +$response = ($queryResponse | ConvertFrom-Json).Results +$response + +``` + + +## Related topic +- [Windows Defender ATP APIs](apis-intro.md) +- [Advanced Hunting API](run-advanced-query-api.md) +- [Advanced Hunting using Python](run-advanced-query-sample-python.md) +- [Schedule Advanced Hunting](run-advanced-query-sample-ms-flow.md) diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-list.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-list.md new file mode 100644 index 0000000000..101b345a77 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-list.md @@ -0,0 +1,58 @@ +--- +title: Supported Windows Defender Advanced Threat Protection query APIs +description: Learn about the specific supported Windows Defender Advanced Threat Protection entities where you can create API calls to. +keywords: apis, supported apis, actor, alerts, machine, user, domain, ip, file, advanced queries, advanced hunting +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 30/07/2018 +--- + +# Supported Windows Defender ATP query APIs + +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + + +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-supportedapis-abovefoldlink) + +## End Point URI and Versioning + +### End Point URI: + +> The service base URI is: https://api.securitycenter.windows.com + +> The queries based OData have the '/api' prefix. For example, to get Alerts you can send GET request to https://api.securitycenter.windows.com/api/alerts + +### Versioning: + +> The API supports versioning. + +> The current version is **V1.0**. + +> To use a specific version, use this format: https://api.securitycenter.windows.com/api/{Version}. For example: https://api.securitycenter.windows.com/api/v1.0/alerts + +> If you don't specify any version (e.g., https://api.securitycenter.windows.com/api/alerts ) you will get to the latest version. + + +Learn more about the individual supported entities where you can run API calls to and details such as HTTP request values, request headers and expected responses. + +## In this section +Topic | Description +:---|:--- +Advanced Hunting | Run queries from API. +Alerts | Run API calls such as get alerts, alert information by ID, alert related actor information, alert related IP information, and alert related machine information. +Domain |Run API calls such as get domain related machines, domain related machines, statistics, and check if a domain is seen in your organization. +File | Run API calls such as get file information, file related alerts, file related machines, and file statistics. +IP | Run API calls such as get IP related alerts, IP related machines, IP statistics, and check if and IP is seen in your organization. +Machines | Run API calls such as find machine information by IP, get machines, get machines by ID, information about logged on users, and alerts related to a given machine ID. +User | Run API calls such as get alert related user information, user information, user related alerts, and user related machines. + +## Related topic +- [Windows Defender ATP APIs](apis-intro.md) diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md new file mode 100644 index 0000000000..dfc82df1d8 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md @@ -0,0 +1,232 @@ +--- +title: OData queries with Windows Defender ATP +description: OData queries with Windows Defender ATP +keywords: apis, supported apis, odata, query +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 11/15/2018 +--- + +# OData queries with Windows Defender ATP +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prerelease information](prerelease.md)] + +- If you are not familiar with OData queries, see: [OData V4 queries](https://www.odata.org/documentation/) + +- Currently, [Machine](machine-windows-defender-advanced-threat-protection-new.md) and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) entities supports all OData queries. +- [Alert](alerts-windows-defender-advanced-threat-protection-new.md) entity support all OData queries except $filter. + +### Example 1 + +**Get all the machines with the tag 'ExampleTag'** + +``` +HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=machineTags/any(tag: tag eq 'ExampleTag') +``` + +**Response:** + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines", + "value": [ + { + "id": "b9d4c51123327fb2a25db29ff1b8f3b64888e7ba", + "computerDnsName": "examples.dev.corp.Contoso.com", + "firstSeen": "2018-03-07T11:19:11.7234147Z", + "lastSeen": "2018-11-15T11:23:38.3196947Z", + "osPlatform": "Windows10", + "osVersion": "10.0.0.0", + "lastIpAddress": "123.17.255.241", + "lastExternalIpAddress": "123.220.196.180", + "agentVersion": "10.6400.18282.1001", + "osBuild": 18282, + "healthStatus": "Active", + "isAadJoined": true, + "machineTags": [ + "ExampleTag" + ], + "rbacGroupId": 5, + "rbacGroupName": "Developers", + "riskScore": "North", + "aadDeviceId": null + }, + . + . + . + ] +} +``` + +### Example 2 + +- Get all the machines with 'High' 'RiskScore' + +``` +HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=riskScore eq 'High' +``` + +**Response:** + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines", + "value": [ + { + "id": "e3a77eeddb83d581238792387b1239b01286b2f", + "computerDnsName": "examples.dev.corp.Contoso.com", + "firstSeen": "2016-11-02T23:26:03.7882168Z", + "lastSeen": "2018-11-12T10:27:08.708723Z", + "osPlatform": "Windows10", + "osVersion": "10.0.0.0", + "lastIpAddress": "123.123.10.33", + "lastExternalIpAddress": "124.124.160.172", + "agentVersion": "10.6300.18279.1001", + "osBuild": 18279, + "healthStatus": "ImpairedCommunication", + "isAadJoined": true, + "machineTags": [], + "rbacGroupId": 5, + "rbacGroupName": "Developers", + "riskScore": "High", + "aadDeviceId": "d90b0b99-1234-1234-1234-b91d50c6796a" + }, + . + . + . + ] +} +``` + +### Example 3 + +- Get top 100 machines with 'HealthStatus' not equals to 'Active' + +``` +HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=healthStatus ne 'Active'&$top=100 +``` + +**Response:** + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines", + "value": [ + { + "id": "1113333ddb83d581238792387b1239b01286b2f", + "computerDnsName": "examples.dev.corp.Contoso.com", + "firstSeen": "2016-11-02T23:26:03.7882168Z", + "lastSeen": "2018-11-12T10:27:08.708723Z", + "osPlatform": "Windows10", + "osVersion": "10.0.0.0", + "lastIpAddress": "123.123.10.33", + "lastExternalIpAddress": "124.124.160.172", + "agentVersion": "10.6300.18279.1001", + "osBuild": 18279, + "healthStatus": "ImpairedCommunication", + "isAadJoined": true, + "machineTags": [], + "rbacGroupId": 5, + "rbacGroupName": "Developers", + "riskScore": "Medium", + "aadDeviceId": "d90b0b99-1234-1234-1234-b91d50c6796a" + }, + . + . + . + ] +} +``` + +### Example 4 + +- Get all the machines that last seen after 2018-10-20 + +``` +HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=lastSeen gt 2018-10-20Z +``` + +**Response:** + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines", + "value": [ + { + "id": "83113465ffceca4a731234e5dcde3357e026e873", + "computerDnsName": "examples-vm10", + "firstSeen": "2018-11-12T16:07:50.1706168Z", + "lastSeen": "2018-11-12T16:07:50.1706168Z", + "osPlatform": "WindowsServer2019", + "osVersion": null, + "lastIpAddress": "10.123.72.35", + "lastExternalIpAddress": "123.220.2.3", + "agentVersion": "10.6300.18281.1000", + "osBuild": 18281, + "healthStatus": "Active", + "isAadJoined": false, + "machineTags": [], + "rbacGroupId": 5, + "rbacGroupName": "Developers", + "riskScore": "None", + "aadDeviceId": null + }, + . + . + . + ] +} +``` + +### Example 5 + +- Get all the Anti-Virus scans that the user Analyst@examples.onmicrosoft.com created using Windows Defender ATP + +``` +HTTP GET https://api.securitycenter.windows.com/api/machineactions?$filter=requestor eq 'Analyst@WcdTestPrd.onmicrosoft.com' and type eq 'RunAntiVirusScan' +``` + +**Response:** + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions", + "value": [ + { + "id": "5c3e3322-d993-1234-1111-dfb136ebc8c5", + "type": "RunAntiVirusScan", + "requestor": "Analyst@examples.onmicrosoft.com", + "requestorComment": "1533", + "status": "Succeeded", + "machineId": "123321c10e44a82877af76b1d0161a17843f688a", + "creationDateTimeUtc": "2018-11-12T13:33:24.5755657Z", + "lastUpdateDateTimeUtc": "2018-11-12T13:34:32.0319826Z", + "relatedFileInfo": null + }, + . + . + . + ] +} +``` + +## Related topic +- [Windows Defender ATP APIs](apis-intro.md) diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md index 3189b3ffcb..67ec69e0e1 100644 --- a/windows/security/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md @@ -14,12 +14,12 @@ ms.localizationpriority: medium ms.date: 10/23/2017 --- -# Use the Windows Defender ATP exposed APIs +# Use the Windows Defender ATP exposed APIs (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/files-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/files-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..076ab10d21 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/files-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,49 @@ +--- +title: File resource type +description: Retrieves top recent alerts. +keywords: apis, graph api, supported apis, get, alerts, recent +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# File resource type + +[!include[Prereleaseinformation](prerelease.md)] + +Represent a file entity in WDATP. + +# Methods +Method|Return Type |Description +:---|:---|:--- +[Get file](get-file-information-windows-defender-advanced-threat-protection-new.md) | [file](files-windows-defender-advanced-threat-protection-new.md) | Get a single file +[List file related alerts](get-file-related-alerts-windows-defender-advanced-threat-protection-new.md) | [alert](alerts-windows-defender-advanced-threat-protection-new.md) collection | Get the [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities that are associated with the file. +[List file related machines](get-file-related-machines-windows-defender-advanced-threat-protection-new.md) | [machine](machine-windows-defender-advanced-threat-protection-new.md) collection | Get the [machine](machine-windows-defender-advanced-threat-protection-new.md) entities associated with the alert. +[file statistics](get-file-statistics-windows-defender-advanced-threat-protection-new.md) | Statistics summary | Retrieves the prevalence for the given file. + + +# Properties +Property | Type | Description +:---|:---|:--- +sha1 | String | Sha1 hash of the file content +sha256 | String | Sha256 hash of the file content +md5 | String | md5 hash of the file content +globalPrevalence | Integer | File prevalence accross organization +globalFirstObserved | DateTimeOffset | First time the file was observed. +globalLastObserved | DateTimeOffset | Last time the file was observed. +size | Integer | Size of the file. +fileType | String | Type of the file. +isPeFile | Boolean | true if the file is portable executable (e.g. "DLL", "EXE", etc.) +filePublisher | String | File publisher. +fileProductName | String | Product name. +signer | String | File signer. +issuer | String | File issuer. +signerHash | String | Hash of the signing certificate. +isValidCertificate | Boolean | Was signing certificate successfully verified by WDATP agent. + diff --git a/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..5f1df97182 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,88 @@ +--- +title: Find machine information by internal IP API +description: Use this API to create calls related to finding a machine entry around a specific timestamp by internal IP. +keywords: ip, apis, graph api, supported apis, find machine, machine information +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 07/25/2018 +--- + +# Find machine information by internal IP API + +[!include[Prerelease information](prerelease.md)] + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + +Find a machine by internal IP. + +>[!NOTE] +>The timestamp must be within the last 30 days. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.Read.All | 'Read all machine profiles' +Application | Machine.ReadWrite.All | 'Read and write all machine information' + +## HTTP request +``` +GET /api/machines/find(timestamp={time},key={IP}) +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and machine exists - 200 OK. +If no machine found - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/machines/find(timestamp=2018-06-19T10:00:00Z,key='10.166.93.61') +Content-type: application/json +``` + +**Response** + +Here is an example of the response. + +The response will return a list of all machines that reported this IP address within sixteen minutes prior and after the timestamp. + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines", + "value": [ + { + "id": "04c99d46599f078f1c3da3783cf5b95f01ac61bb", + "computerDnsName": "", + "firstSeen": "2017-07-06T01:25:04.9480498Z", + "osPlatform": "Windows10", +… +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md index 0f32d44dd4..f1e846309d 100644 --- a/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md @@ -14,12 +14,13 @@ ms.localizationpriority: medium ms.date: 07/25/2018 --- -# Find machine information by internal IP API +# Find machine information by internal IP API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecated information](deprecate.md)] Find a machine entity around a specific timestamp by internal IP. diff --git a/windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..495830551e --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,105 @@ +--- +title: Find machines by internal IP API +description: Find machines seen with the requested internal IP in the time range of 15 minutes prior and after a given timestamp +keywords: apis, graph api, supported apis, get, machine, IP, find, find machine, by ip, ip +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Find machines by internal IP API + +[!include[Prereleaseinformation](prerelease.md)] + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- Find machines seen with the requested internal IP in the time range of 15 minutes prior and after a given timestamp +- The given timestamp must be in the past 30 days. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.Read.All | 'Read all machine profiles' +Application | Machine.ReadWrite.All | 'Read and write all machine information' +Delegated (work or school account) | Machine.Read | 'Read machine information' +Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- Response will include only machines,that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/machines/findbyip(ip='{IP}',timestamp={TimeStamp}) +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and machines were found - 200 OK with list of the machines in the response body. +If no machine found - 404 Not Found. +If the timestamp is not in the past 30 days - 400 Bad Request. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +GET https://api.securitycenter.windows.com/api/machines/findbyip(ip='10.248.240.38',timestamp=2018-09-22T08:44:05Z) +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines", + "value": [ + { + "id": "863fed4b174465c703c6e412965a31b5e1884cc4", + "computerDnsName": "mymachine33.contoso.com", + "firstSeen": "2018-07-31T14:20:55.8223496Z", + "lastSeen": null, + "osPlatform": "Windows10", + "osVersion": null, + "lastIpAddress": "10.248.240.38", + "lastExternalIpAddress": "167.220.2.166", + "agentVersion": "10.3720.16299.98", + "osBuild": 16299, + "healthStatus": "Active", + "isAadJoined": true, + "machineTags": [], + "rbacGroupId": 75, + "riskScore": "Medium", + "aadDeviceId": null + } + ] +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md index 40fc4f997e..77d40948be 100644 --- a/windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md @@ -19,7 +19,7 @@ ms.date: 10/23/2017 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md index c7ad32d81d..ac3608c9c2 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md @@ -15,12 +15,13 @@ ms.date: 12/08/2017 --- -# Get actor information API +# Get actor information API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecatedinformation](deprecate.md)] Retrieves an actor information report. diff --git a/windows/security/threat-protection/windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md index 54c1dd45ee..c0ff5a988c 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md @@ -14,12 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Get actor related alerts API +# Get actor related alerts API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecated information](deprecate.md)] Retrieves all alerts related to a given actor. diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..d2187f343b --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,98 @@ +--- +title: Get alert information by ID API +description: Retrieves an alert by its ID. +keywords: apis, graph api, supported apis, get, alert, information, id +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get alert information by ID API +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + +Retrieves an alert by its ID. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Alert.Read.All | 'Read all alerts' +Application | Alert.ReadWrite.All | 'Read and write all alerts' +Delegated (work or school account) | Alert.Read | 'Read alerts' +Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/alerts/{id} +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful, this method returns 200 OK, and the [alert](alerts-windows-defender-advanced-threat-protection-new.md) entity in the response body. If alert with the specified id was not found - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +GET https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280442 +``` + +**Response** + +Here is an example of the response. + + +``` +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts", + "id": "636688558380765161_2136280442", + "severity": "Informational", + "status": "InProgress", + "description": "Some alert description 1", + "recommendedAction": "Some recommended action 1", + "alertCreationTime": "2018-08-03T01:17:17.9516179Z", + "category": "General", + "title": "Some alert title 1", + "threatFamilyName": null, + "detectionSource": "WindowsDefenderAtp", + "classification": "TruePositive", + "determination": null, + "assignedTo": "best secop ever", + "resolvedTime": null, + "lastEventTime": "2018-08-02T07:02:52.0894451Z", + "firstEventTime": "2018-08-02T07:02:52.0894451Z", + "actorName": null, + "machineId": "ff0c3800ed8d66738a514971cd6867166809369f" +} + +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md index b57243b615..70160a3b2c 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md @@ -14,12 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Get alert information by ID API +# Get alert information by ID API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecated information](deprecate.md)] Retrieves an alert by its ID. diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md index e914d35ccb..99fcbab5bf 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md @@ -14,12 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Get alert related actor information API +# Get alert related actor information API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecatedinformation](deprecate.md)] Retrieves the actor information related to the specific alert. diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..0df45988d6 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,87 @@ +--- +title: Get alert related domains information +description: Retrieves all domains related to a specific alert. +keywords: apis, graph api, supported apis, get alert information, alert information, related domain +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get alert related domain information API +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + +Retrieves all domains related to a specific alert. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | URL.Read.All | 'Read URLs' +Delegated (work or school account) | URL.Read.All | 'Read URLs' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/alerts/{id}/domains +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and alert and domain exist - 200 OK. +If alert not found or domain not found - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + + +``` +GET https://api.securitycenter.windows.com/alerts/636688558380765161_2136280442/domains +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/$metadata#Domains", + "value": [ + { + "host": "www.example.com" + } + ] +} + +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md index bc89209fbe..d0cfda9671 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md @@ -14,11 +14,14 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Get alert related domain information API +# Get alert related domain information API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) + + +[!include[Deprecatedinformation](deprecate.md)] diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..0761a7b22c --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,100 @@ +--- +title: Get alert related files information +description: Retrieves all files related to a specific alert. +keywords: apis, graph api, supported apis, get alert information, alert information, related files +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get alert related files information API +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + +Retrieves all files related to a specific alert. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | File.Read.All | 'Read file profiles' +Delegated (work or school account) | File.Read.All | 'Read file profiles' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/alerts/{id}/files +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and alert and files exist - 200 OK. +If alert not found or files not found - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +GET https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280442/files +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Files", + "value": [ + { + "sha1": "654f19c41d9662cf86be21bf0af5a88c38c56a9d", + "sha256": "2f905feec2798cee6f63da2c26758d86bfeaab954c01e20ac7085bf55fedde87", + "md5": "82849dc81d94056224445ea73dc6153a", + "globalPrevalence": 33, + "globalFirstObserved": "2018-07-17T18:17:27.5909748Z", + "globalLastObserved": "2018-08-06T16:07:12.9414137Z", + "windowsDefenderAVThreatName": null, + "size": 801112, + "fileType": "PortableExecutable", + "isPeFile": true, + "filePublisher": null, + "fileProductName": null, + "signer": "Microsoft Windows", + "issuer": "Microsoft Development PCA 2014", + "signerHash": "9e284231a4d1c53fc8d4492b09f65116bf97447f", + "isValidCertificate": true + } + ] +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md index 3efd2de78e..cc2ec68bf7 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md @@ -14,12 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Get alert related files information API +# Get alert related files information API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecated information](deprecate.md)] Retrieves all files related to a specific alert. diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..0aa81fbd10 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,89 @@ +--- +title: Get alert related IPs information +description: Retrieves all IPs related to a specific alert. +keywords: apis, graph api, supported apis, get alert information, alert information, related ip +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get alert related IP information API +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + + +Retrieves all IPs related to a specific alert. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Ip.Read.All | 'Read IP address profiles' +Delegated (work or school account) | Ip.Read.All | 'Read IP address profiles' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/alerts/{id}/ips +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and alert and an IP exist - 200 OK. If alert not found or IPs not found - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +GET https://api.securitycenter.windows.com/alerts/636688558380765161_2136280442/ips +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/$metadata#Ips", + "value": [ + { + "id": "104.80.104.128" + }, + { + "id": "23.203.232.228 + } + ] +} + +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md index 3e296665a1..fba77be35c 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md @@ -14,12 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Get alert related IP information API +# Get alert related IP information API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecated information](deprecate.md)] Retrieves all IPs related to a specific alert. diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..5eec325056 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,99 @@ +--- +title: Get alert related machine information +description: Retrieves all machines related to a specific alert. +keywords: apis, graph api, supported apis, get alert information, alert information, related machine +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get alert related machine information API +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + +Retrieves machine that is related to a specific alert. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.Read.All | 'Read all machine information' +Application | Machine.ReadWrite.All | 'Read and write all machine information' +Delegated (work or school account) | Machine.Read | 'Read machine information' +Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/alerts/{id}/machine +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and alert and machine exist - 200 OK. +If alert not found or machine not found - 404 Not Found. + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + + +``` +GET https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280442/machine +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines/$entity", + "id": "ff0c3800ed8d66738a514971cd6867166809369f", + "computerDnsName": "amazingmachine.contoso.com", + "firstSeen": "2017-12-10T07:47:34.4269783Z", + "lastSeen": "2017-12-10T07:47:34.4269783Z", + "osPlatform": "Windows10", + "osVersion": "10.0.0.0", + "systemProductName": null, + "lastIpAddress": "172.17.0.0", + "lastExternalIpAddress": "167.220.0.0", + "agentVersion": "10.5830.17732.1001", + "osBuild": 17732, + "healthStatus": "Active", + "isAadJoined": true, + "machineTags": [], + "rbacGroupId": 75, + "riskScore": "Low", + "aadDeviceId": "80fe8ff8-0000-0000-9591-41f0491218f9" +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md index c5d77400aa..a9abbd55bb 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md @@ -14,12 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Get alert related machine information API +# Get alert related machine information API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecated information](deprecate.md)] Retrieves all machines related to a specific alert. diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..143f06474b --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,91 @@ +--- +title: Get alert related user information +description: Retrieves the user associated to a specific alert. +keywords: apis, graph api, supported apis, get, alert, information, related, user +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get alert related user information API +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + + +Retrieves the user associated to a specific alert. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | User.Read.All | 'Read user profiles' +Delegated (work or school account) | User.Read.All | 'Read user profiles' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/alerts/{id}/user +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and alert and a user exists - 200 OK with user in the body. +If alert not found or user not found - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + + +``` +GET https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280442/user +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Users/$entity", + "id": "contoso\\user1", + "firstSeen": "2018-08-02T00:00:00Z", + "lastSeen": "2018-08-04T00:00:00Z", + "mostPrevalentMachineId": null, + "leastPrevalentMachineId": null, + "logonTypes": "Network", + "logOnMachinesCount": 3, + "isDomainAdmin": false, + "isOnlyNetworkUser": null +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md index 6993fd471d..cd9221b4db 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md @@ -14,13 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Get alert related user information API +# Get alert related user information API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecated information](deprecate.md)] Retrieves the user associated to a specific alert. diff --git a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..c68a75f6be --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,130 @@ +--- +title: List alerts API +description: Retrieves top recent alerts. +keywords: apis, graph api, supported apis, get, alerts, recent +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# List alerts API +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + +[!include[Prereleaseinformation](prerelease.md)] + + +Retrieves top recent alerts. + + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Alert.Read.All | 'Read all alerts' +Application | Alert.ReadWrite.All | 'Read and write all alerts' +Delegated (work or school account) | Alert.Read | 'Read alerts' +Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The response will include only alerts that are associated with machines that the user can access, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/alerts +``` + +## Optional query parameters +Method supports $skip and $top query parameters. + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful, this method returns 200 OK, and a list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) objects in the response body. If no recent alerts found - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +GET https://api.securitycenter.windows.com/api/alerts +``` + +**Response** + +Here is an example of the response. + +>[!NOTE] +>The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call. + + +``` +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts", + "value": [ + { + "id": "636688558380765161_2136280442", + "severity": "Informational", + "status": "InProgress", + "description": "Some alert description 1", + "recommendedAction": "Some recommended action 1", + "alertCreationTime": "2018-08-03T01:17:17.9516179Z", + "category": "General", + "title": "Some alert title 1", + "threatFamilyName": null, + "detectionSource": "WindowsDefenderAtp", + "classification": "TruePositive", + "determination": null, + "assignedTo": "best secop ever", + "resolvedTime": null, + "lastEventTime": "2018-08-02T07:02:52.0894451Z", + "firstEventTime": "2018-08-02T07:02:52.0894451Z", + "actorName": null, + "machineId": "ff0c3800ed8d66738a514971cd6867166809369f" + }, + { + "id": "636688558380765161_2136280442", + "severity": "Informational", + "status": "InProgress", + "description": "Some alert description 2", + "recommendedAction": "Some recommended action 2", + "alertCreationTime": "2018-08-04T01:17:17.9516179Z", + "category": "General", + "title": "Some alert title 2", + "threatFamilyName": null, + "detectionSource": "WindowsDefenderAtp", + "classification": "TruePositive", + "determination": null, + "assignedTo": "best secop ever", + "resolvedTime": null, + "lastEventTime": "2018-08-03T07:02:52.0894451Z", + "firstEventTime": "2018-08-03T07:02:52.0894451Z", + "actorName": null, + "machineId": "ff0c3800ed8d66738a514971cd6867166809369d" + } + ] +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md index 200e9bcb18..30daf66f8c 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md @@ -14,12 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Get alerts API +# Get alerts API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecated information](deprecate.md)] Retrieves top recent alerts. diff --git a/windows/security/threat-protection/windows-defender-atp/get-cvekbmap-collection-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-cvekbmap-collection-windows-defender-advanced-threat-protection.md index 8b5aa9abb1..ae59bae72e 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-cvekbmap-collection-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-cvekbmap-collection-windows-defender-advanced-threat-protection.md @@ -18,7 +18,7 @@ ms.date: 10/07/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Retrieves a map of CVE's to KB's and CVE details. diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..ee1404dd5e --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,129 @@ +--- +title: Get domain related alerts API +description: Retrieves a collection of alerts related to a given domain address. +keywords: apis, graph api, supported apis, get, domain, related, alerts +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get domain related alerts API +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + +[!include[Prereleaseinformation](prerelease.md)] + + + + + +Retrieves a collection of alerts related to a given domain address. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Alert.Read.All | 'Read all alerts' +Application | Alert.ReadWrite.All | 'Read and write all alerts' +Delegated (work or school account) | Alert.Read | 'Read alerts' +Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- Response will include only alerts, associated with machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/domains/{domain}/alerts +``` + +## Request headers + +Header | Value +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and domain and alert exists - 200 OK with list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities. If domain or alert does not exist - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +GET https://api.securitycenter.windows.com/api/domains/client.wns.windows.com/alerts +``` + +**Response** + +Here is an example of the response. + +``` +HTTP/1.1 200 OK +Content-type: application/json + +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines", + "value": [ + { + "id": "636688558380765161_2136280442", + "severity": "Informational", + "status": "InProgress", + "description": "Some alert description 1", + "recommendedAction": "Some recommended action 1", + "alertCreationTime": "2018-08-03T01:17:17.9516179Z", + "category": "General", + "title": "Some alert title 1", + "threatFamilyName": null, + "detectionSource": "WindowsDefenderAtp", + "classification": "TruePositive", + "determination": null, + "assignedTo": "best secop ever", + "resolvedTime": null, + "lastEventTime": "2018-08-02T07:02:52.0894451Z", + "firstEventTime": "2018-08-02T07:02:52.0894451Z", + "actorName": null, + "machineId": "ff0c3800ed8d66738a514971cd6867166809369f" + }, + { + "id": "636688558380765161_2136280442", + "severity": "Informational", + "status": "InProgress", + "description": "Some alert description 2", + "recommendedAction": "Some recommended action 2", + "alertCreationTime": "2018-08-04T01:17:17.9516179Z", + "category": "General", + "title": "Some alert title 2", + "threatFamilyName": null, + "detectionSource": "WindowsDefenderAtp", + "classification": "TruePositive", + "determination": null, + "assignedTo": "best secop ever", + "resolvedTime": null, + "lastEventTime": "2018-08-03T07:02:52.0894451Z", + "firstEventTime": "2018-08-03T07:02:52.0894451Z", + "actorName": null, + "machineId": "ff0c3800ed8d66738a514971cd6867166809369d" + } + ] +} +``` + diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md index 9ead2dbb39..4d2cd0fc45 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md @@ -14,13 +14,15 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Get domain related alerts API +# Get domain related alerts API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecated information](deprecate.md)] + Retrieves a collection of alerts related to a given domain address. diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..4d69da1a53 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,122 @@ +--- +title: Get domain related machines API +description: Retrieves a collection of machines related to a given domain address. +keywords: apis, graph api, supported apis, get, domain, related, machines +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get domain related machines API +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + +Retrieves a collection of machines that have communicated to or from a given domain address. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.Read.All | 'Read all machine profiles' +Application | Machine.ReadWrite.All | 'Read and write all machine information' +Delegated (work or school account) | Machine.Read | 'Read machine information' +Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- Response will include only machines that the user can access, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/domains/{domain}/machines +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and domain and machine exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities. If domain or machines do not exist - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + + +``` +GET https://api.securitycenter.windows.com/api/domains/api.securitycenter.windows.com/machines +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines", + "value": [ + { + "id": "02ea9a24e8bd39c247ed7ca0edae879c321684e5", + "computerDnsName": "testMachine1", + "firstSeen": "2018-07-30T20:12:00.3708661Z", + "lastSeen": "2018-07-30T20:12:00.3708661Z", + "osPlatform": "Windows10", + "osVersion": null, + "systemProductName": null, + "lastIpAddress": "10.209.67.177", + "lastExternalIpAddress": "167.220.1.210", + "agentVersion": "10.5830.18208.1000", + "osBuild": 18208, + "healthStatus": "Inactive", + "isAadJoined": false, + "machineTags": [], + "rbacGroupId": 75, + "riskScore": "Low", + "aadDeviceId": null + }, + { + "id": "02efb9a9b85f07749a018fbf3f962b4700b3b949", + "computerDnsName": "testMachine2", + "firstSeen": "2018-07-30T19:50:47.3618349Z", + "lastSeen": "2018-07-30T19:50:47.3618349Z", + "osPlatform": "Windows10", + "osVersion": null, + "systemProductName": null, + "lastIpAddress": "10.209.70.231", + "lastExternalIpAddress": "167.220.0.28", + "agentVersion": "10.5830.18208.1000", + "osBuild": 18208, + "healthStatus": "Inactive", + "isAadJoined": false, + "machineTags": [], + "rbacGroupId": 75, + "riskScore": "None", + "aadDeviceId": null + } + ] +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md index 37f79cad7c..9995b7a57f 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md @@ -14,12 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Get domain related machines API +# Get domain related machines API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecated information](deprecate.md)] Retrieves a collection of machines related to a given domain address. diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..d3dd0b2f72 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,84 @@ +--- +title: Get domain statistics API +description: Retrieves the prevalence for the given domain. +keywords: apis, graph api, supported apis, get, domain, domain related machines +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get domain statistics API +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + +[!include[Prereleaseinformation](prerelease.md)] + +Retrieves the prevalence for the given domain. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | URL.Read.All | 'Read URLs' +Delegated (work or school account) | URL.Read.All | 'Read URLs' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/domains/{domain}/stats +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and domain exists - 200 OK, with statistics object in the response body. +If domain does not exist - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +GET https://api.securitycenter.windows.com/api/domains/example.com/stats +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgDomainStats", + "host": "example.com", + "orgPrevalence": "4070", + "orgFirstSeen": "2017-07-30T13:23:48Z", + "orgLastSeen": "2017-08-29T13:09:05Z" +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md index a3c16e6ca8..7cab84b5fb 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md @@ -14,12 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Get domain statistics API +# Get domain statistics API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecatedinformation](deprecate.md)] Retrieves the prevalence for the given domain. diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..2080cabc06 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,98 @@ +--- +title: Get file information API +description: Retrieves a file by identifier Sha1, Sha256, or MD5. +keywords: apis, graph api, supported apis, get, file, information, sha1, sha256, md5 +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get file information API +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + + +Retrieves a file by identifier Sha1, Sha256, or MD5. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | File.Read.All | 'Read all file profiles' +Delegated (work or school account) | File.Read.All | 'Read all file profiles' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) + + +## HTTP request +``` +GET /api/files/{id} +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and file exists - 200 OK with the [file](files-windows-defender-advanced-threat-protection-new.md) entity in the body. +If file does not exist - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +GET https://api.securitycenter.windows.com/api/files/6532ec91d513acc05f43ee0aa3002599729fd3e1 +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Files/$entity", + "sha1": "6532ec91d513acc05f43ee0aa3002599729fd3e1", + "sha256": "d4447dffdbb2889b4b4e746b0bc882df1b854101614b0aa83953ef3cb66904cf", + "md5": "7f05a371d2beffb3784fd2199f81d730", + "globalPrevalence": 7329, + "globalFirstObserved": "2018-04-08T05:50:29.4459725Z", + "globalLastObserved": "2018-08-07T23:35:11.1361328Z", + "windowsDefenderAVThreatName": null, + "size": 391680, + "fileType": "PortableExecutable", + "isPeFile": true, + "filePublisher": null, + "fileProductName": null, + "signer": null, + "issuer": null, + "signerHash": null, + "isValidCertificate": null +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md index 7584b147fb..9683f68898 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md @@ -14,13 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Get file information API +# Get file information API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecated information](deprecate.md)] Retrieves a file by identifier Sha1, Sha256, or MD5. diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..0ef637c98e --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,107 @@ +--- +title: Get file related alerts API +description: Retrieves a collection of alerts related to a given file hash. +keywords: apis, graph api, supported apis, get, file, hash +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get file related alerts API +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + +[!include[Prereleaseinformation](prerelease.md)] + + +Retrieves a collection of alerts related to a given file hash. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Alert.Read.All | 'Read all alerts' +Application | Alert.ReadWrite.All | 'Read and write all alerts' +Delegated (work or school account) | Alert.Read | 'Read alerts' +Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- Response will include only alerts, associated with machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/files/{id}/alerts +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and file and alert exists - 200 OK with list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities in the body. +If file or alerts do not exist - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +GET https://api.securitycenter.windows.com/api/files/6532ec91d513acc05f43ee0aa3002599729fd3e1/alerts +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts", + "value": [ + { + "id": "636692391408655573_2010598859", + "severity": "Low", + "status": "New", + "description": "test alert", + "recommendedAction": "do this and that", + "alertCreationTime": "2018-08-07T11:45:40.0199932Z", + "category": "None", + "title": "test alert", + "threatFamilyName": null, + "detectionSource": "CustomerTI", + "classification": null, + "determination": null, + "assignedTo": null, + "resolvedTime": null, + "lastEventTime": "2018-08-03T16:45:21.7115182Z", + "firstEventTime": "2018-08-03T16:45:21.7115182Z", + "actorName": null, + "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07" + } + ] +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md index 05c27cc3c8..3967df849d 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md @@ -14,13 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Get file related alerts API +# Get file related alerts API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecated information](deprecate.md)] Retrieves a collection of alerts related to a given file hash. diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..94de515e8e --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,123 @@ +--- +title: Get file related machines API +description: Retrieves a collection of machines related to a given file hash. +keywords: apis, graph api, supported apis, get, machines, hash +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get file related machines API +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + +Retrieves a collection of machines related to a given file hash. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.Read.All | 'Read all machine profiles' +Application | Machine.ReadWrite.All | 'Read and write all machine information' +Delegated (work or school account) | Machine.Read | 'Read machine information' +Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- Response will include only machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/files/{id}/machines +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and file and machines exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities in the body. +If file or machines do not exist - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +GET https://api.securitycenter.windows.com/api/files/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/machines +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines", + "value": [ + { + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "computerDnsName": "mymachine1.contoso.com", + "firstSeen": "2018-08-02T14:55:03.7791856Z", + "lasttSeen": "2018-07-09T13:22:45.1250071Z", + "osPlatform": "Windows10", + "osVersion": null, + "systemProductName": null, + "lastIpAddress": "172.17.230.209", + "lastExternalIpAddress": "167.220.196.71", + "agentVersion": "10.5830.18209.1001", + "osBuild": 18209, + "healthStatus": "Active", + "isAadJoined": true, + "machineTags": [], + "rbacGroupId": 140, + "riskScore": "Low", + "aadDeviceId": null + }, + { + "id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7", + "computerDnsName": "mymachine2.contoso.com", + "firstSeen": "2018-07-09T13:22:45.1250071Z", + "lasttSeen": "2018-07-09T13:22:45.1250071Z", + "osPlatform": "Windows10", + "osVersion": null, + "systemProductName": null, + "lastIpAddress": "192.168.12.225", + "lastExternalIpAddress": "79.183.65.82", + "agentVersion": "10.5820.17724.1000", + "osBuild": 17724, + "healthStatus": "Inactive", + "isAadJoined": true, + "machineTags": [], + "rbacGroupId": 140, + "riskScore": "Low", + "aadDeviceId": null + } + ] +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md index 1fbbc3a108..dc8a07b552 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md @@ -14,13 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Get file related machines API +# Get file related machines API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecated information](deprecate.md)] Retrieves a collection of machines related to a given file hash. diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..31913eb556 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,93 @@ +--- +title: Get file statistics API +description: Retrieves the prevalence for the given file. +keywords: apis, graph api, supported apis, get, file, statistics +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get file statistics API +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + + + + + +Retrieves the prevalence for the given file. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | File.Read.All | 'Read file profiles' +Delegated (work or school account) | File.Read.All | 'Read file profiles' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/files/{id}/stats +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and file exists - 200 OK with statistical data in the body. +If file do not exist - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +GET https://api.securitycenter.windows.com/api/files/6532ec91d513acc05f43ee0aa3002599729fd3e1/stats +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgFileStats", + "sha1": "6532ec91d513acc05f43ee0aa3002599729fd3e1", + "orgPrevalence": "3", + "orgFirstSeen": "2018-07-15T06:13:59Z", + "orgLastSeen": "2018-08-03T16:45:21Z", + "topFileNames": [ + "chrome_1.exe", + "chrome_2.exe" + ] +} + +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md index 097db254ff..e7b702fac8 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md @@ -14,13 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Get file statistics API +# Get file statistics API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecatedinformation](deprecate.md)] Retrieves the prevalence for the given file. diff --git a/windows/security/threat-protection/windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md index 6b46d49d1c..b83bae0e6d 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md @@ -14,13 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Get FileActions collection API +# Get FileActions collection API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecatedinformation](deprecate.md)] Gets collection of actions done on files. Get FileActions collection API supports OData V4 queries. diff --git a/windows/security/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md index 129a601d95..5fc6065ee7 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md @@ -14,13 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Get FileMachineAction object API +# Get FileMachineAction object API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecatedinformation](deprecate.md)] Gets file and machine actions. diff --git a/windows/security/threat-protection/windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md index b22756a78b..b00ad9d909 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md @@ -14,13 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Get FileMachineActions collection API +# Get FileMachineActions collection API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecatedinformation](deprecate.md)] Get collection of file and machine actions. Get FileMachineActions collection API supports OData V4 queries. diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..27c06e86a8 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,106 @@ +--- +title: Get IP related alerts API +description: Retrieves a collection of alerts related to a given IP address. +keywords: apis, graph api, supported apis, get, ip, related, alerts +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get IP related alerts API +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + +Retrieves a collection of alerts related to a given IP address. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Alert.Read.All | 'Read all alerts' +Application | Alert.ReadWrite.All | 'Read and write all alerts' +Delegated (work or school account) | Alert.Read | 'Read alerts' +Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- Response will include only alerts, associated with machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/ips/{ip}/alerts +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and IP and alert exists - 200 OK with list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities in the body. +If IP and alerts do not exist - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + + +``` +GET https://api.securitycenter.windows.com/api/ips/10.209.67.177/alerts +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts", + "value": [ + { + "id": "636692391408655573_2010598859", + "severity": "Low", + "status": "New", + "description": "test alert", + "recommendedAction": "do this and that", + "alertCreationTime": "2018-08-07T11:45:40.0199932Z", + "category": "None", + "title": "test alert", + "threatFamilyName": null, + "detectionSource": "CustomerTI", + "classification": null, + "determination": null, + "assignedTo": null, + "resolvedTime": null, + "lastEventTime": "2018-08-03T16:45:21.7115182Z", + "firstEventTime": "2018-08-03T16:45:21.7115182Z", + "actorName": null, + "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07" + } + ] +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md index fad5315c23..3502e90557 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md @@ -14,13 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Get IP related alerts API +# Get IP related alerts API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecated information](deprecate.md)] Retrieves a collection of alerts related to a given IP address. diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..20449184f7 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,123 @@ +--- +title: Get IP related machines API +description: Retrieves a collection of machines related to a given IP address. +keywords: apis, graph api, supported apis, get, ip, related, machines +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get IP related machines API +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + + +Retrieves a collection of machines that communicated with or from a particular IP. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.Read.All | 'Read all machine profiles' +Application | Machine.ReadWrite.All | 'Read and write all machine information' +Delegated (work or school account) | Machine.Read | 'Read machine information' +Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- Response will include only machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/ips/{ip}/machines +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and IP and machines exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities in the body. +If IP or machines do not exist - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +GET https://api.securitycenter.windows.com/api/ips/10.209.67.177/machines +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines", + "value": [ + { + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "computerDnsName": "mymachine1.contoso.com", + "firstSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2018-08-02T14:55:03.7791856Z", + "osPlatform": "Windows10", + "osVersion": null, + "systemProductName": null, + "lastIpAddress": "172.17.230.209", + "lastExternalIpAddress": "167.220.196.71", + "agentVersion": "10.5830.18209.1001", + "osBuild": 18209, + "healthStatus": "Active", + "isAadJoined": true, + "machineTags": [], + "rbacGroupId": 140, + "riskScore": "Low", + "aadDeviceId": null + }, + { + "id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7", + "computerDnsName": "mymachine2.contoso.com", + "firstSeen": "2018-07-09T13:22:45.1250071Z", + "lastSeen": "2018-07-09T13:22:45.1250071Z", + "osPlatform": "Windows10", + "osVersion": null, + "systemProductName": null, + "lastIpAddress": "192.168.12.225", + "lastExternalIpAddress": "79.183.65.82", + "agentVersion": "10.5820.17724.1000", + "osBuild": 17724, + "healthStatus": "Inactive", + "isAadJoined": true, + "machineTags": [], + "rbacGroupId": 140, + "riskScore": "Low", + "aadDeviceId": null + } + ] +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md index acbfa51a4a..72071848e6 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md @@ -37,8 +37,7 @@ Content type | application/json Empty ## Response -If successful and IP and machines exists - 200 OK. -If IP or machines do not exist - 404 Not Found. +If successful and IP and machines exists - 200 OK. If IP or machines do not exist - 404 Not Found. ## Example diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..763444713a --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,85 @@ +--- +title: Get IP statistics API +description: Retrieves the prevalence for the given IP. +keywords: apis, graph api, supported apis, get, ip, statistics, prevalence +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get IP statistics API +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + + + +Retrieves the prevalence for the given IP. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Ip.Read.All | 'Read IP address profiles' +Delegated (work or school account) | Ip.Read.All | 'Read IP address profiles' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/ips/{ip}/stats +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and ip exists - 200 OK with statistical data in the body. IP do not exist - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +GET https://api.securitycenter.windows.com/api/ips/10.209.67.177/stats +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgIPStats", + "ipAddress": "10.209.67.177", + "orgPrevalence": "63515", + "orgFirstSeen": "2017-07-30T13:36:06Z", + "orgLastSeen": "2017-08-29T13:32:59Z" +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md index 5134bd1653..04783ac39e 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md @@ -18,7 +18,7 @@ ms.date: 12/08/2017 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/get-kbinfo-collection-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-kbinfo-collection-windows-defender-advanced-threat-protection.md index 60756f6400..700a3ded7d 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-kbinfo-collection-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-kbinfo-collection-windows-defender-advanced-threat-protection.md @@ -18,7 +18,7 @@ ms.date: 10/07/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Retrieves a collection of KB's and KB details. diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..4211bbbb1f --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,102 @@ +--- +title: Get machine by ID API +description: Retrieves a machine entity by ID. +keywords: apis, graph api, supported apis, get, machines, entity, id +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get machine by ID API + +[!include[Prereleaseinformation](prerelease.md)] + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) +Retrieves a machine entity by ID. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.Read.All | 'Read all machine profiles' +Application | Machine.ReadWrite.All | 'Read and write all machine information' +Delegated (work or school account) | Machine.Read | 'Read machine information' +Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- User needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + + +## HTTP request +``` +GET /api/machines/{id} +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and machine exists - 200 OK with the [machine](machine-windows-defender-advanced-threat-protection-new.md) entity in the body. +If machine with the specified id was not found - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +GET https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07 +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machine", + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "computerDnsName": "mymachine1.contoso.com", + "firstSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2018-08-02T14:55:03.7791856Z", + "osPlatform": "Windows10", + "osVersion": null, + "systemProductName": null, + "lastIpAddress": "172.17.230.209", + "lastExternalIpAddress": "167.220.196.71", + "agentVersion": "10.5830.18209.1001", + "osBuild": 18209, + "healthStatus": "Active", + "isAadJoined": true, + "machineTags": [], + "rbacGroupId": 140, + "riskScore": "Low", + "aadDeviceId": null +} + +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md index d61e334add..66f525a094 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md @@ -14,13 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Get machine by ID API +# Get machine by ID API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecated information](deprecate.md)] Retrieves a machine entity by ID. diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..31988d7d7b --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,105 @@ +--- +title: Get machine log on users API +description: Retrieves a collection of logged on users. +keywords: apis, graph api, supported apis, get, machine, log on, users +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get machine log on users API + +[!include[Prereleaseinformation](prerelease.md)] + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) +Retrieves a collection of logged on users. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | User.Read.All | 'Read user profiles' +Delegated (work or school account) | User.Read.All | 'Read user profiles' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- Response will include users only if the machine is visible to the user, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/machines/{id}/logonusers +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and machine and user exist - 200 OK with list of [user](user-windows-defender-advanced-threat-protection-new.md) entities in the body +If no machine found or no users found - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +GET https://api.securitycenter.windows.com/api/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/logonusers +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Users", + "value": [ + { + "id": "contoso\\user1", + "firstSeen": "2018-08-02T00:00:00Z", + "lastSeen": "2018-08-04T00:00:00Z", + "mostPrevalentMachineId": null, + "leastPrevalentMachineId": null, + "logonTypes": "Network", + "logOnMachinesCount": 3, + "isDomainAdmin": false, + "isOnlyNetworkUser": null + }, + { + "id": "contoso\\user2", + "firstSeen": "2018-08-02T00:00:00Z", + "lastSeen": "2018-08-05T00:00:00Z", + "mostPrevalentMachineId": null, + "leastPrevalentMachineId": null, + "logonTypes": "Network", + "logOnMachinesCount": 3, + "isDomainAdmin": false, + "isOnlyNetworkUser": null + } + ] +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md index 4669b6ac62..13530b98e5 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md @@ -14,13 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Get machine log on users API +# Get machine log on users API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecated information](deprecate.md)] Retrieves a collection of logged on users. diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..fc89631378 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,105 @@ +--- +title: Get machine related alerts API +description: Retrieves a collection of alerts related to a given machine ID. +keywords: apis, graph api, supported apis, get, machines, related, alerts +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get machine related alerts API + +[!include[Prereleaseinformation](prerelease.md)] + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) +Retrieves a collection of alerts related to a given machine ID. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Alert.Read.All | 'Read all alerts' +Application | Alert.ReadWrite.All | 'Read and write all alerts' +Delegated (work or school account) | Alert.Read | 'Read alerts' +Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- User needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/machines/{id}/alerts +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and machine and alert exists - 200 OK with list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities in the body. If no machine or no alerts found - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + + +``` +GET https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/alerts +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts", + "value": [ + { + "id": "636692391408655573_2010598859", + "severity": "Low", + "status": "New", + "description": "test alert", + "recommendedAction": "do this and that", + "alertCreationTime": "2018-08-07T11:45:40.0199932Z", + "category": "None", + "title": "test alert", + "threatFamilyName": null, + "detectionSource": "CustomerTI", + "classification": null, + "determination": null, + "assignedTo": null, + "resolvedTime": null, + "lastEventTime": "2018-08-03T16:45:21.7115182Z", + "firstEventTime": "2018-08-03T16:45:21.7115182Z", + "actorName": null, + "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07" + } + ] +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md index 9a01fc1a18..4803e86973 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md @@ -14,13 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Get machine related alerts API +# Get machine related alerts API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecated information](deprecate.md)] Retrieves a collection of alerts related to a given machine ID. diff --git a/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..96a4953581 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,90 @@ +--- +title: Get MachineAction object API +description: Use this API to create calls related to get machineaction object +keywords: apis, graph api, supported apis, machineaction object +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get machineAction API +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + +Get action performed on a machine. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.Read.All | 'Read all machine profiles' +Application | Machine.ReadWrite.All | 'Read and write all machine information' +Delegated (work or school account) | Machine.Read | 'Read machine information' +Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET https://api.securitycenter.windows.com/api/machineactions/{id} +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful, this method returns 200, Ok response code with a [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) entity. If machine action entity with the specified id was not found - 404 Not Found. + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +GET https://api.securitycenter.windows.com/api/machineactions/2e9da30d-27f6-4208-81f2-9cd3d67893ba +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 Ok +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity", + "id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba", + "type": "RunAntiVirusScan", + "requestor": "Analyst@contoso.com", + "requestorComment": "Check machine for viruses due to alert 3212", + "status": "Succeeded", + "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f", + "creationDateTimeUtc": "2018-12-04T12:18:27.1293487Z", + "lastUpdateTimeUtc": "2018-12-04T12:18:57.5511934Z", + "relatedFileInfo": null +} + + +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md index 0628465533..b3ed113094 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md @@ -14,13 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Get MachineAction object API +# Get MachineAction object API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecatedinformation](deprecate.md)] Get actions done on a machine. diff --git a/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..5a137cb5a8 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,169 @@ +--- +title: List machineActions API +description: Use this API to create calls related to get machineactions collection +keywords: apis, graph api, supported apis, machineaction collection +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# List MachineActions API + +[!include[Prereleaseinformation](prerelease.md)] + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + Gets collection of actions done on machines. + Get MachineAction collection API supports [OData V4 queries](https://www.odata.org/documentation/). + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.Read.All | 'Read all machine profiles' +Application | Machine.ReadWrite.All | 'Read and write all machine information' +Delegated (work or school account) | Machine.Read | 'Read machine information' +Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET https://api.securitycenter.windows.com/api/machineactions +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful, this method returns 200, Ok response code with a collection of [machineAction](machineaction-windows-defender-advanced-threat-protection-new.md) entities. + + +## Example 1 + +**Request** + +Here is an example of the request on an organization that has three MachineActions. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +GET https://api.securitycenter.windows.com/api/machineactions +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 Ok +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions", + "value": [ + { + "id": "69dc3630-1ccc-4342-acf3-35286eec741d", + "type": "CollectInvestigationPackage", + "requestor": "Analyst@contoso.com", + "requestorComment": "test", + "status": "Succeeded", + "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f", + "creationDateTimeUtc": "2018-12-04T12:43:57.2011911Z", + "lastUpdateTimeUtc": "2018-12-04T12:45:25.4049122Z", + "relatedFileInfo": null + }, + { + "id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba", + "type": "RunAntiVirusScan", + "requestor": "Analyst@contoso.com", + "requestorComment": "Check machine for viruses due to alert 3212", + "status": "Succeeded", + "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f", + "creationDateTimeUtc": "2018-12-04T12:18:27.1293487Z", + "lastUpdateTimeUtc": "2018-12-04T12:18:57.5511934Z", + "relatedFileInfo": null + }, + { + "id": "44cffc15-0e3d-4cbf-96aa-bf76f9b27f5e", + "type": "StopAndQuarantineFile", + "requestor": "Analyst@contoso.com", + "requestorComment": "test", + "status": "Succeeded", + "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f", + "creationDateTimeUtc": "2018-12-04T12:15:40.6052029Z", + "lastUpdateTimeUtc": "2018-12-04T12:16:14.2899973Z", + "relatedFileInfo": { + "fileIdentifier": "a0c659857ccbe457fdaf5fe21d54efdcbf6f6508", + "fileIdentifierType": "Sha1" + } + } + ] +} +``` + +## Example 2 + +**Request** + +Here is an example of a request that filters the MachineActions by machine ID and shows the latest two MachineActions. + +``` +GET https://api.securitycenter.windows.com/api/machineactions?$filter=machineId eq 'f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f'&$top=2 +``` + +**Response** + +Here is an example of the response. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +HTTP/1.1 200 Ok +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions", + "value": [ + { + "id": "69dc3630-1ccc-4342-acf3-35286eec741d", + "type": "CollectInvestigationPackage", + "requestor": "Analyst@contoso.com", + "requestorComment": "test", + "status": "Succeeded", + "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f", + "creationDateTimeUtc": "2018-12-04T12:43:57.2011911Z", + "lastUpdateTimeUtc": "2018-12-04T12:45:25.4049122Z", + "relatedFileInfo": null + }, + { + "id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba", + "type": "RunAntiVirusScan", + "requestor": "Analyst@contoso.com", + "requestorComment": "Check machine for viruses due to alert 3212", + "status": "Succeeded", + "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f", + "creationDateTimeUtc": "2018-12-04T12:18:27.1293487Z", + "lastUpdateTimeUtc": "2018-12-04T12:18:57.5511934Z", + "relatedFileInfo": null + } + ] +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md index 889383cdab..0983daee3c 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md @@ -14,13 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Get MachineActions collection API +# Get MachineActions collection API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecatedinformation](deprecate.md)] Gets collection of actions done on machines. Get MachineAction collection API supports OData V4 queries. diff --git a/windows/security/threat-protection/windows-defender-atp/get-machinegroups-collection-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machinegroups-collection-windows-defender-advanced-threat-protection.md index 1d2ab14e01..d98a86a488 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machinegroups-collection-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machinegroups-collection-windows-defender-advanced-threat-protection.md @@ -18,7 +18,7 @@ ms.date: 10/07/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Retrieves a collection of RBAC machine groups. diff --git a/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..5d41431d83 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,124 @@ +--- +title: List machines API +description: Retrieves a collection of recently seen machines. +keywords: apis, graph api, supported apis, get, machines +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# List machines API + +[!include[Prereleaseinformation](prerelease.md)] + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +Retrieves a collection of machines that have communicated with WDATP cloud on the last 30 days. +Get Machines collection API supports [OData V4 queries](https://www.odata.org/documentation/). +The OData's Filter query is supported on: "Id", "ComputerDnsName", "LastSeen", "LastIpAddress", "HealthStatus", "OsPlatform", "RiskScore", "MachineTags" and "RbacGroupId" + +## Permissions + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.Read.All | 'Read all machine profiles' +Application | Machine.ReadWrite.All | 'Read and write all machine information' +Delegated (work or school account) | Machine.Read | 'Read machine information' +Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- Response will include only machines,that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET https://api.securitycenter.windows.com/api/machines +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and machines exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities in the body. If no recent machines - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +GET https://api.securitycenter.windows.com/api/machines +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines", + "value": [ + { + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "computerDnsName": "mymachine1.contoso.com", + "firstSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2018-08-02T14:55:03.7791856Z", + "osPlatform": "Windows10", + "osVersion": null, + "systemProductName": null, + "lastIpAddress": "172.17.230.209", + "lastExternalIpAddress": "167.220.196.71", + "agentVersion": "10.5830.18209.1001", + "osBuild": 18209, + "healthStatus": "Active", + "isAadJoined": true, + "machineTags": [], + "rbacGroupId": 140, + "riskScore": "Low", + "aadDeviceId": null + }, + { + "id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7", + "computerDnsName": "mymachine2.contoso.com", + "firstSeen": "2018-07-09T13:22:45.1250071Z", + "lastSeen": "2018-07-09T13:22:45.1250071Z", + "osPlatform": "Windows10", + "osVersion": null, + "systemProductName": null, + "lastIpAddress": "192.168.12.225", + "lastExternalIpAddress": "79.183.65.82", + "agentVersion": "10.5820.17724.1000", + "osBuild": 17724, + "healthStatus": "Inactive", + "isAadJoined": true, + "machineTags": [], + "rbacGroupId": 140, + "riskScore": "Low", + "aadDeviceId": null + } + ] +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md index 5fc127f082..2aae8e0d5d 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md @@ -14,12 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Get machines API +# Get machines API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecated information](deprecate.md)] Retrieves a collection of recently seen machines. diff --git a/windows/security/threat-protection/windows-defender-atp/get-machinesecuritystates-collection-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machinesecuritystates-collection-windows-defender-advanced-threat-protection.md index 1b3f4fe295..8880d2c1b8 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machinesecuritystates-collection-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machinesecuritystates-collection-windows-defender-advanced-threat-protection.md @@ -18,7 +18,7 @@ ms.date: 10/07/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Retrieves a collection of machines security states. diff --git a/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..6b90d0ff62 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,84 @@ +--- +title: Get package SAS URI API +description: Use this API to get a URI that allows downloading an investigation package. +keywords: apis, graph api, supported apis, get package, sas, uri +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get package SAS URI API +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prerelease information](prerelease.md)] + +Get a URI that allows downloading of an [investigation package](collect-investigation-package-windows-defender-advanced-threat-protection-new.md). + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.CollectForensics | 'Collect forensics' +Delegated (work or school account) | Machine.CollectForensics | 'Collect forensics' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'Alerts Investigation' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET https://api.securitycenter.windows.com/api/machineactions/{machine action id}/getPackageUri +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful, this method returns 200, Ok response code with object that holds the link to the package in the “value” parameter. This link is valid for a very short time and should be used immediately for downloading the package to a local storage. + + +## Example + +**Request** + +Here is an example of the request. + +``` +GET https://api.securitycenter.windows.com/api/machineactions/7327b54fd718525cbca07dacde913b5ac3c85673/GetPackageUri + +``` + +**Response** + +Here is an example of the response. + +[!include[Improve request performance](improverequestperformance-new.md)] + + +``` +HTTP/1.1 200 Ok +Content-type: application/json + +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Edm.String", + "value": "\"https://userrequests-us.securitycenter.windows.com:443/safedownload/WDATP_Investigation_Package.zip?token=gbDyj7y%2fbWGAZjn2sFiZXlliBTXOCVG7yiJ6mXNaQ9pLByC2Wxeno9mENsPFP3xMk5l%2bZiJXjLvqAyNEzUNROxoM2I1er9dxzfVeBsxSmclJjPsAx%2btiNyxSz1Ax%2b5jaT5cL5bZg%2b8wgbwY9urXbTpGjAKh6FB1e%2b0ypcWkPm8UkfOwsmtC%2biZJ2%2bPqnkkeQk7SKMNoAvmh9%2fcqDIPKXGIBjMa0D9auzypOqd8bQXp7p2BnLSH136BxST8n9IHR4PILvRjAYW9kvtHkBpBitfydAsUW4g2oDZSPN3kCLBOoo1C4w4Lkc9Bc3GNU2IW6dfB7SHcp7G9p4BDkeJl3VuDs6esCaeBorpn9FKJ%2fXo7o9pdcI0hUPZ6Ds9hiPpwPUtz5J29CBE3QAopCK%2fsWlf6OW2WyXsrNRSnF1tVE5H3wXpREzuhD7S4AIA3OIEZKzC4jIPLeMu%2bazZU9xGwuc3gICOaokbwMJiZTqcUuK%2fV9YdBdjdg8wJ16NDU96Pl6%2fgew2KYuk6Wo7ZuHotgHI1abcsvdlpe4AvixDbqcRJthsg2PpLRaFLm5av44UGkeK6TJpFvxUn%2f9fg6Zk5yM1KUTHb8XGmutoCM8U9er6AzXZlY0gGc3D3bQOg41EJZkEZLyUEbk1hXJB36ku2%2bW01cG71t7MxMBYz7%2bdXobxpdo%3d%3bRWS%2bCeoDfTyDcfH5pkCg6hYDmCOPr%2fHYQuaUWUBNVnXURYkdyOzVHqp%2fe%2f1BNyPdVoVkpQHpz1pPS3b5g9h7IMmNKCk5gFq5m2nPx6kk9EYtzx8Ndoa2m9Yj%2bSaf8zIFke86YnfQL4AYewsnQNJJh4wc%2bXxGlBq7axDcoiOdX91rKzVicH3GSBkFoLFAKoegWWsF%2fEDZcVpF%2fXUA1K8HvB6dwyfy4y0sAqnNPxYTQ97mG7yHhxPt4Pe9YF2UPPAJVuEf8LNlQ%2bWHC9%2f7msF6UUI4%2fca%2ftpjFs%2fSNeRE8%2fyQj21TI8YTF1SowvaJuDc1ivEoeopNNGG%2bGI%2fX0SckaVxU9Hdkh0zbydSlT5SZwbSwescs0IpzECitBbaLUz4aT8KTs8T0lvx8D7Te3wVsKAJ1r3iFMQZrlk%2bS1WW8rvac7oHRx2HKURn1v7fDIQWgJr9aNsNlFz4fLJ50T2qSHuuepkLVbe93Va072aMGhvr09WVKoTpAf1j2bcFZZU6Za5PxI32mr0k90FgiYFJ1F%2f1vRDrGwvWVWUkR3Z33m4g0gHa52W1FMxQY0TJIwbovD6FaSNDx7xhKZSd5IJ7r6P91Gez49PaZRcAZPjd%2bfbul3JNm1VqQPTLohT7wa0ymRiXpSST74xtFzuEBzNSNATdbngj3%2fwV4JesTjZjIj5Dc%3d%3blumqauVlFuuO8MQffZgs0tLJ4Fq6fpeozPTdDf8Ll6XLegi079%2b4mSPFjTK0y6eohstxdoOdom2wAHiZwk0u4KLKmRkfYOdT1wHY79qKoBQ3ZDHFTys9V%2fcwKGl%2bl8IenWDutHygn5IcA1y7GTZj4g%3d%3d\"" +} + + +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md index b360312126..688491a75d 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md @@ -14,13 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Get package SAS URI API +# Get package SAS URI API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecated information](deprecate.md)] Get a URI that allows downloading of an investigation package. diff --git a/windows/security/threat-protection/windows-defender-atp/get-started.md b/windows/security/threat-protection/windows-defender-atp/get-started.md index 0d0972f0bd..08d0bcb99e 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-started.md +++ b/windows/security/threat-protection/windows-defender-atp/get-started.md @@ -17,7 +17,7 @@ ms.date: 09/03/2018 # Get started with Windows Defender Advanced Threat Protection **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Learn about the minimum requirements and initial steps you need to take to get started with Windows Defender ATP. diff --git a/windows/security/threat-protection/windows-defender-atp/get-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..ccd438a908 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,92 @@ +--- +title: Get Ti Indicator by ID API +description: Retrieves Ti Indicator entity by ID. +keywords: apis, public api, supported apis, get, ti indicator, entity, id +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get TI Indicator by ID API + +[!include[Prereleaseinformation](prerelease.md)] + +>[!Note] +> Currently this API is supported only for AppOnly context requests. (See [Get access without a user](exposed-apis-create-app-webapp.md) for more information) + + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) +Retrieves a TI Indicator entity by ID. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Ti.ReadWrite | 'Read and write TI Indicators' + + +## HTTP request +``` +GET https://api.securitycenter.windows.com/api/tiindicators/{id} +``` + +[!include[Improve request performance](improverequestperformance-new.md)] + + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and TI Indicator exists - 200 OK with the [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity in the body. +If TI Indicator with the specified id was not found - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +``` +GET https://api.securitycenter.windows.com/api/tiindicators/220e7d15b0b3d7fac48f2bd61114db1022197f7f +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#TiIndicators/$entity", + "indicator": "220e7d15b0b3d7fac48f2bd61114db1022197f7f", + "indicatorType": "FileSha1", + "title": "test", + "creationTimeDateTimeUtc": "2018-10-24T10:54:23.2009016Z", + "createdBy": "45097602-0cfe-4cc6-925f-9f453233e62c", + "expirationTime": "2020-12-12T00:00:00Z", + "action": "AlertAndBlock", + "severity": "Informational", + "description": "test", + "recommendedActions": "TEST" +} + +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..d2c398ee0f --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,109 @@ +--- +title: List TiIndicators API +description: Use this API to create calls related to get TiIndicators collection +keywords: apis, public api, supported apis, TiIndicators collection +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# List TiIndicators API + +[!include[Prereleaseinformation](prerelease.md)] + +>[!Note] +> Currently this API is supported only for AppOnly context requests. (See [Get access without a user](exposed-apis-create-app-webapp.md) for more information) + + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + Gets collection of TI Indicators. + Get TI Indicators collection API supports [OData V4 queries](https://www.odata.org/documentation/). + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Ti.ReadWrite | 'Read and write TI Indicators' + + +## HTTP request +``` +GET https://api.securitycenter.windows.com/api/tiindicators +``` + +[!include[Improve request performance](improverequestperformance-new.md)] + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful, this method returns 200, Ok response code with a collection of [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entities. + +>[!Note] +> The response will only include TI Indicators that submitted by the calling Application. + + +## Example + +**Request** + +Here is an example of a request that gets all TI Indicators + +``` +GET https://api.securitycenter.windows.com/api/tiindicators +``` + +**Response** + +Here is an example of the response. + +``` +HTTP/1.1 200 Ok +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#TiIndicators", + "value": [ + { + "indicator": "12.13.14.15", + "indicatorType": "IpAddress", + "title": "test", + "creationTimeDateTimeUtc": "2018-10-24T11:15:35.3688259Z", + "createdBy": "45097602-1234-5678-1234-9f453233e62c", + "expirationTime": "2020-12-12T00:00:00Z", + "action": "AlertAndBlock", + "severity": "Informational", + "description": "test", + "recommendedActions": "test" + }, + { + "indicator": "220e7d15b0b3d7fac48f2bd61114db1022197f7f", + "indicatorType": "FileSha1", + "title": "test", + "creationTimeDateTimeUtc": "2018-10-24T10:54:23.2009016Z", + "createdBy": "45097602-1234-5678-1234-9f453233e62c", + "expirationTime": "2020-12-12T00:00:00Z", + "action": "AlertAndBlock", + "severity": "Informational", + "description": "test", + "recommendedActions": "TEST" + } + ] +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..ea4a25eca2 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,85 @@ +--- +title: Get user information API +description: Retrieve a User entity by key such as user name or domain. +keywords: apis, graph api, supported apis, get, user, user information +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get user information API + +[!include[Prerelease information](prerelease.md)] + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +Retrieve a User entity by key (user name or domain\user). + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | User.Read.All | 'Read all user profiles' + +## HTTP request +``` +GET /api/users/{id}/ +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and user exists - 200 OK with [user](user-windows-defender-advanced-threat-protection-new.md) entity in the body. If user does not exist - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +GET https://api.securitycenter.windows.com/api/users/user1@contoso.com +Content-type: application/json +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Users/$entity", + "id": "user1@contoso.com", + "firstSeen": "2018-08-02T00:00:00Z", + "lastSeen": "2018-08-04T00:00:00Z", + "mostPrevalentMachineId": null, + "leastPrevalentMachineId": null, + "logonTypes": "Network", + "logOnMachinesCount": 3, + "isDomainAdmin": false, + "isOnlyNetworkUser": null +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md index ac38166ec1..86880c519e 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md @@ -14,13 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Get user information API +# Get user information API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecated information](deprecate.md)] Retrieve a User entity by key (user name or domain\user). diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..df5abdbe22 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,125 @@ +--- +title: Get user related alerts API +description: Retrieves a collection of alerts related to a given user ID. +keywords: apis, graph api, supported apis, get, user, related, alerts +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get user related alerts API +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + +Retrieves a collection of alerts related to a given user ID. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Alert.Read.All | 'Read all alerts' +Application | Alert.ReadWrite.All | 'Read and write all alerts' +Delegated (work or school account) | Alert.Read | 'Read alerts' +Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- Response will include only alerts, associated with machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/users/{id}/alerts +``` + +**Note that the id is not the full UPN, but only the user name. (e.g., to retrieve alerts for user1@contoso.com use /api/users/user1/alerts) ** + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and user and alert exist - 200 OK. If user or alerts do not exist - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +GET https://api.securitycenter.windows.com/api/users/user1/alerts +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts", + "value": [ + { + "id": "636688558380765161_2136280442", + "severity": "Informational", + "status": "InProgress", + "description": "Some alert description 1", + "recommendedAction": "Some recommended action 1", + "alertCreationTime": "2018-08-03T01:17:17.9516179Z", + "category": "General", + "title": "Some alert title 1", + "threatFamilyName": null, + "detectionSource": "WindowsDefenderAtp", + "classification": "TruePositive", + "determination": null, + "assignedTo": "best secop ever", + "resolvedTime": null, + "lastEventTime": "2018-08-02T07:02:52.0894451Z", + "firstEventTime": "2018-08-02T07:02:52.0894451Z", + "actorName": null, + "machineId": "ff0c3800ed8d66738a514971cd6867166809369f" + }, + { + "id": "636688558380765161_2136280442", + "severity": "Informational", + "status": "InProgress", + "description": "Some alert description 2", + "recommendedAction": "Some recommended action 2", + "alertCreationTime": "2018-08-04T01:17:17.9516179Z", + "category": "General", + "title": "Some alert title 2", + "threatFamilyName": null, + "detectionSource": "WindowsDefenderAtp", + "classification": "TruePositive", + "determination": null, + "assignedTo": "best secop ever", + "resolvedTime": null, + "lastEventTime": "2018-08-03T07:02:52.0894451Z", + "firstEventTime": "2018-08-03T07:02:52.0894451Z", + "actorName": null, + "machineId": "ff0c3800ed8d66738a514971cd6867166809369d" + } + ] +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md index 4283b6db69..ec40578526 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md @@ -11,16 +11,16 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 12/08/2017 +ms.date: 11/15/2018 --- -# Get user related alerts API +# Get user related alerts API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecated information](deprecate.md)] Retrieves a collection of alerts related to a given user ID. diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..ecf23df07d --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,124 @@ +--- +title: Get user related machines API +description: Retrieves a collection of machines related to a given user ID. +keywords: apis, graph api, supported apis, get, user, user related alerts +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get user related machines API +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + +Retrieves a collection of machines related to a given user ID. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.Read.All | 'Read all machine profiles' +Application | Machine.ReadWrite.All | 'Read and write all machine information' +Delegated (work or school account) | Machine.Read | 'Read machine information' +Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- Response will include only machines that the user can access, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/users/{id}/machines +``` + +**Note that the id is not the full UPN, but only the user name. (e.g., to retrieve machines for user1@contoso.com use /api/users/user1/machines) ** + + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and machines exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities in the body. If user or machines does not exist - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +GET https://api.securitycenter.windows.com/api/users/user1/machines +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines", + "value": [ + { + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "computerDnsName": "mymachine1.contoso.com", + "firstSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2018-08-02T14:55:03.7791856Z", + "osPlatform": "Windows10", + "osVersion": null, + "systemProductName": null, + "lastIpAddress": "172.17.230.209", + "lastExternalIpAddress": "167.220.196.71", + "agentVersion": "10.5830.18209.1001", + "osBuild": 18209, + "healthStatus": "Active", + "isAadJoined": true, + "machineTags": [], + "rbacGroupId": 140, + "riskScore": "Low", + "aadDeviceId": null + }, + { + "id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7", + "computerDnsName": "mymachine2.contoso.com", + "firstSeen": "2018-07-09T13:22:45.1250071Z", + "lastSeen": "2018-07-09T13:22:45.1250071Z", + "osPlatform": "Windows10", + "osVersion": null, + "systemProductName": null, + "lastIpAddress": "192.168.12.225", + "lastExternalIpAddress": "79.183.65.82", + "agentVersion": "10.5820.17724.1000", + "osBuild": 17724, + "healthStatus": "Inactive", + "isAadJoined": true, + "machineTags": [], + "rbacGroupId": 140, + "riskScore": "Low", + "aadDeviceId": null + } + ] +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md index 4be3026444..11f719ebd8 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md @@ -14,13 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Get user related machines API +# Get user related machines API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecated information](deprecate.md)] Retrieves a collection of machines related to a given user ID. diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-action-center-with-info.png b/windows/security/threat-protection/windows-defender-atp/images/atp-action-center-with-info.png index 5f0e1199b6..afff6b7093 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-action-center-with-info.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-action-center-with-info.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-av-scan-action-center.png b/windows/security/threat-protection/windows-defender-atp/images/atp-av-scan-action-center.png index d980fc4ed9..233b126c5b 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-av-scan-action-center.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-av-scan-action-center.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-azure-assign-role.png b/windows/security/threat-protection/windows-defender-atp/images/atp-azure-assign-role.png new file mode 100644 index 0000000000..93e294ec2b Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-azure-assign-role.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-azure-new-app.png b/windows/security/threat-protection/windows-defender-atp/images/atp-azure-new-app.png index a4a07d3b92..4449661657 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-azure-new-app.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-azure-new-app.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/ms-flow-choose-action.png b/windows/security/threat-protection/windows-defender-atp/images/ms-flow-choose-action.png new file mode 100644 index 0000000000..867fb4d976 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/ms-flow-choose-action.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/ms-flow-define-action.png b/windows/security/threat-protection/windows-defender-atp/images/ms-flow-define-action.png new file mode 100644 index 0000000000..51588e0bdc Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/ms-flow-define-action.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/ms-flow-e2e.png b/windows/security/threat-protection/windows-defender-atp/images/ms-flow-e2e.png new file mode 100644 index 0000000000..f33aa04682 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/ms-flow-e2e.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/ms-flow-insert-db.png b/windows/security/threat-protection/windows-defender-atp/images/ms-flow-insert-db.png new file mode 100644 index 0000000000..1f15b39220 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/ms-flow-insert-db.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/ms-flow-parse-json.png b/windows/security/threat-protection/windows-defender-atp/images/ms-flow-parse-json.png new file mode 100644 index 0000000000..b42c9ec193 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/ms-flow-parse-json.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/ms-flow-read-db.png b/windows/security/threat-protection/windows-defender-atp/images/ms-flow-read-db.png new file mode 100644 index 0000000000..89e20f3a67 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/ms-flow-read-db.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/nativeapp-add-permission.png b/windows/security/threat-protection/windows-defender-atp/images/nativeapp-add-permission.png new file mode 100644 index 0000000000..1f7f423e49 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/nativeapp-add-permission.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/nativeapp-add-permissions-end.png b/windows/security/threat-protection/windows-defender-atp/images/nativeapp-add-permissions-end.png new file mode 100644 index 0000000000..eb866e3cce Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/nativeapp-add-permissions-end.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/nativeapp-create.png b/windows/security/threat-protection/windows-defender-atp/images/nativeapp-create.png new file mode 100644 index 0000000000..05d76ec807 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/nativeapp-create.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/nativeapp-decoded-token.png b/windows/security/threat-protection/windows-defender-atp/images/nativeapp-decoded-token.png new file mode 100644 index 0000000000..92f46bf116 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/nativeapp-decoded-token.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/nativeapp-get-appid.png b/windows/security/threat-protection/windows-defender-atp/images/nativeapp-get-appid.png new file mode 100644 index 0000000000..859e4fa8a3 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/nativeapp-get-appid.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/nativeapp-select-permissions.png b/windows/security/threat-protection/windows-defender-atp/images/nativeapp-select-permissions.png new file mode 100644 index 0000000000..2114b14c4d Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/nativeapp-select-permissions.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/power-bi-create-advanced-query.png b/windows/security/threat-protection/windows-defender-atp/images/power-bi-create-advanced-query.png new file mode 100644 index 0000000000..d5fdf37ac2 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/power-bi-create-advanced-query.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/power-bi-create-blank-query.png b/windows/security/threat-protection/windows-defender-atp/images/power-bi-create-blank-query.png new file mode 100644 index 0000000000..d060becd5b Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/power-bi-create-blank-query.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/power-bi-edit-credentials.png b/windows/security/threat-protection/windows-defender-atp/images/power-bi-edit-credentials.png new file mode 100644 index 0000000000..62c96acf75 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/power-bi-edit-credentials.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/power-bi-edit-data-privacy.png b/windows/security/threat-protection/windows-defender-atp/images/power-bi-edit-data-privacy.png new file mode 100644 index 0000000000..7098c8a543 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/power-bi-edit-data-privacy.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/power-bi-open-advanced-editor.png b/windows/security/threat-protection/windows-defender-atp/images/power-bi-open-advanced-editor.png new file mode 100644 index 0000000000..5c340e3138 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/power-bi-open-advanced-editor.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/power-bi-query-results.png b/windows/security/threat-protection/windows-defender-atp/images/power-bi-query-results.png new file mode 100644 index 0000000000..b94ee3a009 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/power-bi-query-results.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-credentials-anonymous.png b/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-credentials-anonymous.png new file mode 100644 index 0000000000..dce1698521 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-credentials-anonymous.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-credentials-organizational-cont.png b/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-credentials-organizational-cont.png new file mode 100644 index 0000000000..049d3ed6ee Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-credentials-organizational-cont.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-credentials-organizational.png b/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-credentials-organizational.png new file mode 100644 index 0000000000..054470d70e Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-credentials-organizational.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-data-privacy.png b/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-data-privacy.png new file mode 100644 index 0000000000..00a8756c43 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-data-privacy.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-add-permission-2.png b/windows/security/threat-protection/windows-defender-atp/images/webapp-add-permission-2.png new file mode 100644 index 0000000000..8123965c84 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/webapp-add-permission-2.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-add-permission-end.png b/windows/security/threat-protection/windows-defender-atp/images/webapp-add-permission-end.png new file mode 100644 index 0000000000..40f15eb65a Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/webapp-add-permission-end.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-add-permission.png b/windows/security/threat-protection/windows-defender-atp/images/webapp-add-permission.png new file mode 100644 index 0000000000..38e98ce07d Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/webapp-add-permission.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-create-key.png b/windows/security/threat-protection/windows-defender-atp/images/webapp-create-key.png new file mode 100644 index 0000000000..4ddb1fae83 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/webapp-create-key.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-create.png b/windows/security/threat-protection/windows-defender-atp/images/webapp-create.png new file mode 100644 index 0000000000..a091db0189 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/webapp-create.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-decoded-token.png b/windows/security/threat-protection/windows-defender-atp/images/webapp-decoded-token.png new file mode 100644 index 0000000000..be98e49216 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/webapp-decoded-token.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-edit-multitenant.png b/windows/security/threat-protection/windows-defender-atp/images/webapp-edit-multitenant.png new file mode 100644 index 0000000000..47203a8151 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/webapp-edit-multitenant.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-edit-settings.png b/windows/security/threat-protection/windows-defender-atp/images/webapp-edit-settings.png new file mode 100644 index 0000000000..1b8396b50e Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/webapp-edit-settings.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-get-appid.png b/windows/security/threat-protection/windows-defender-atp/images/webapp-get-appid.png new file mode 100644 index 0000000000..103081f82c Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/webapp-get-appid.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-grant-permissions.png b/windows/security/threat-protection/windows-defender-atp/images/webapp-grant-permissions.png new file mode 100644 index 0000000000..b7c7e0926f Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/webapp-grant-permissions.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-select-permission.png b/windows/security/threat-protection/windows-defender-atp/images/webapp-select-permission.png new file mode 100644 index 0000000000..8edc069eaf Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/webapp-select-permission.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-validate-token.png b/windows/security/threat-protection/windows-defender-atp/images/webapp-validate-token.png new file mode 100644 index 0000000000..c813929e31 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/webapp-validate-token.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/improverequestperformance-new.md b/windows/security/threat-protection/windows-defender-atp/improverequestperformance-new.md new file mode 100644 index 0000000000..afb2f9bbdd --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/improverequestperformance-new.md @@ -0,0 +1,23 @@ +--- +title: +description: +keywords: +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 04/24/2018 +--- + +# Improve request performance + + +>[!NOTE] +>For better performance, you can use server closer to your geo location: +> - api-us.securitycenter.windows.com +> - api-eu.securitycenter.windows.com +> - api-uk.securitycenter.windows.com \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/incidents-queue.md b/windows/security/threat-protection/windows-defender-atp/incidents-queue.md index fa6a121754..01abcc2317 100644 --- a/windows/security/threat-protection/windows-defender-atp/incidents-queue.md +++ b/windows/security/threat-protection/windows-defender-atp/incidents-queue.md @@ -16,7 +16,7 @@ ms.date: 10/08/2018 # Incidents queue in Windows Defender ATP **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) [!include[Prerelease information](prerelease.md)] diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md index 56ea8cdf4a..55f697cb46 100644 --- a/windows/security/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md @@ -18,7 +18,7 @@ ms.date: 04/24/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) @@ -54,14 +54,11 @@ Some actor profiles include a link to download a more comprehensive threat intel The detailed alert profile helps you understand who the attackers are, who they target, what techniques, tools, and procedures (TTPs) they use, which geolocations they are active in, and finally, what recommended actions you may take. In many cases, you can download a more detailed Threat Intelligence report about this attacker or campaign for offline reading. ## Alert process tree -The **Alert process tree** takes alert triage and investigation to the next level, displaying the alert and related evidence, together with other events that occurred within the same execution context and time. This rich triage context of the alert and surrounding events is available on the alert page. +The **Alert process tree** takes alert triage and investigation to the next level, displaying the aggregated alert and surrounding evidence that occurred within the same execution context and time period. This rich triage and investigation context is available on the alert page. ![Image of the alert process tree](images/atp-alert-process-tree.png) -The **Alert process tree** expands to display the execution path of the alert, its evidence, and related events that occurred in the minutes - before and after - the alert. - -The alert and related events or evidence have circles with thunderbolt icons inside them. - +The **Alert process tree** expands to display the execution path of the alert and related evidence that occurred around the same period. Items marked with a thunderbolt icon should be given priority during investigation. >[!NOTE] >The alert process tree might not be available in some alerts. diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md index 65acd1c33c..3529488b89 100644 --- a/windows/security/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md @@ -18,7 +18,7 @@ ms.date: 04/24/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md index d680bef4c2..196e04a38f 100644 --- a/windows/security/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md @@ -18,7 +18,7 @@ ms.date: 04/24/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-incidents-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-incidents-windows-defender-advanced-threat-protection.md index bac3bc4093..464c9131b9 100644 --- a/windows/security/threat-protection/windows-defender-atp/investigate-incidents-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/investigate-incidents-windows-defender-advanced-threat-protection.md @@ -17,7 +17,7 @@ ms.date: 10/08/2018 # Investigate incidents in Windows Defender ATP **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) [!include[Prerelease information](prerelease.md)] diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md index 44daae5c16..0a5384f47f 100644 --- a/windows/security/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md @@ -18,7 +18,7 @@ ms.date: 04/24/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md index f9145a0e27..2c1fdf3100 100644 --- a/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md @@ -17,7 +17,7 @@ ms.date: 09/18/2018 # Investigate machines in the Windows Defender ATP Machines list **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatemachines-abovefoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md index dcbc200193..7850ace854 100644 --- a/windows/security/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md @@ -17,7 +17,7 @@ ms.date: 04/24/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..066dac83dd --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,80 @@ +--- +title: Is domain seen in org API +description: Use this API to create calls related to checking whether a domain was seen in the organization. +keywords: apis, graph api, supported apis, domain, domain seen +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 04/24/2018 +--- + +# Was domain seen in org +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + +[!include[Prereleaseinformation](prerelease.md)] + +Answers whether a domain was seen in the organization. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Url.Read.All | 'Read URLs' +Delegated (work or school account) | URL.Read.All | 'Read URLs' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/domains/{domain} +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and domain exists - 200 OK. If domain does not exist - 404 Not Found. + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +GET https://api.securitycenter.windows.com/api/domains/example.com +Content-type: application/json +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Domains/$entity", + "host": "example.com" +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md index 892fc60bd3..6dee679614 100644 --- a/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md @@ -14,9 +14,14 @@ ms.localizationpriority: medium ms.date: 04/24/2018 --- -# Is domain seen in org +# Is domain seen in org (deprecated) Answers whether a domain was seen in the organization. +[!include[Deprecatedinformation](deprecate.md)] + + + + ## Permissions User needs read permissions. diff --git a/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..fc6b531fc1 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,81 @@ +--- +title: Is IP seen in org API +description: Answers whether an IP was seen in the organization. +keywords: apis, graph api, supported apis, is, ip, seen, org, organization +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Was IP seen in org +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + +[!include[Prereleaseinformation](prerelease.md)] + +Answers whether an IP was seen in the organization. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Ip.Read.All | 'Read IP address profiles' +Delegated (work or school account) | Ip.Read.All | 'Read IP address profiles' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/ips/{ip} +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and IP exists - 200 OK. If IP do not exist - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +``` +GET https://api.securitycenter.windows.com/api/ips/10.209.67.177 +``` + +**Response** + +Here is an example of the response. + +[!include[Improve request performance](improverequestperformance-new.md)] + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Ips/$entity", + "id": "10.209.67.177" +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md index 7b493211a5..42887d7fa8 100644 --- a/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md @@ -14,13 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Is IP seen in org +# Is IP seen in org (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecatedinformation](deprecate.md)] Answers whether an IP was seen in the organization. diff --git a/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..696d961f94 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,108 @@ +--- +title: Isolate machine API +description: Use this API to create calls related isolating a machine. +keywords: apis, graph api, supported apis, isolate machine +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Isolate machine API +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prerelease information](prerelease.md)] + +Isolates a machine from accessing external network. + +[!include[Machine actions note](machineactionsnote.md)] + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.Isolate | 'Isolate machine' +Delegated (work or school account) | Machine.Isolate | 'Isolate machine' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + + +## HTTP request +``` +POST https://api.securitycenter.windows.com/api/machines/{id}/isolate +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. +Content-Type | string | application/json. **Required**. + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +Comment | String | Comment to associate with the action. **Required**. +IsolationType | String | Type of the isolation. Allowed values are: 'Full' or 'Selective'. + +**IsolationType** controls the type of isolation to perform and can be one of the following: +- Full – Full isolation +- Selective – Restrict only limited set of applications from accessing the network (see [Isolate machines from the network](respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network) for more details) + + +## Response +If successful, this method returns 201 - Created response code and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) in the response body. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/isolate +Content-type: application/json +{ + "Comment": "Isolate machine due to alert 1234", + “IsolationType”: “Full” +} + +``` +**Response** + +Here is an example of the response. + +``` +HTTP/1.1 201 Created +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity", + "id": "b89eb834-4578-496c-8be0-03f004061435", + "type": "Isolate", + "requestor": "Analyst@contoso.com ", + "requestorComment": "Isolate machine due to alert 1234", + "status": "InProgress", + "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "creationDateTimeUtc": "2017-12-04T12:12:18.9725659Z", + "lastUpdateTimeUtc": "2017-12-04T12:12:18.9725659Z", + "relatedFileInfo": null +} + +``` + +To unisolate a machine, see [Release machine from isolation](unisolate-machine-windows-defender-advanced-threat-protection-new.md). diff --git a/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md index 3ab7ab04d5..c7b6c877d3 100644 --- a/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md @@ -14,13 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Isolate machine API +# Isolate machine API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecated information](deprecate.md)] Isolates a machine from accessing external network. diff --git a/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md index 002cb3f3e8..3e8115cdf3 100644 --- a/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md @@ -18,7 +18,7 @@ ms.date: 10/16/2017 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md index a831efcf16..4f1279bc34 100644 --- a/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md @@ -20,7 +20,7 @@ ms.date: 05/08/2018 - Azure Active Directory - Office 365 -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..8c70bf4419 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,47 @@ +--- +title: Machine resource type +description: Retrieves top machines +keywords: apis, supported apis, get, machines +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 11/11/2018 +--- + +# Machine resource type + + +# Methods +Method|Return Type |Description +:---|:---|:--- +[List machines](get-machines-windows-defender-advanced-threat-protection-new.md) | [machine](machine-windows-defender-advanced-threat-protection-new.md) collection | List set of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities in the org. +[Get machine](get-machine-by-id-windows-defender-advanced-threat-protection-new.md) | [machine](machine-windows-defender-advanced-threat-protection-new.md) | Get a [machine](machine-windows-defender-advanced-threat-protection-new.md) by its identity. +[Get logged on users](get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md) | [user](user-windows-defender-advanced-threat-protection-new.md) collection | Get the set of [User](user-windows-defender-advanced-threat-protection-new.md) that logged on to the [machine](machine-windows-defender-advanced-threat-protection-new.md). +[Get related alerts](get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md) | [alert](alerts-windows-defender-advanced-threat-protection-new.md) collection | Get the set of [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities that were raised on the [machine](machine-windows-defender-advanced-threat-protection-new.md). +[Add or Remove machine tags](add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md) | [machine](machine-windows-defender-advanced-threat-protection-new.md) | Add or Remove tag to a specific machine. +[Find machines by IP](find-machines-by-ip-windows-defender-advanced-threat-protection-new.md) | [machine](machine-windows-defender-advanced-threat-protection-new.md) collection | Find machines seen with IP. + +# Properties +Property | Type | Description +:---|:---|:--- +id | String | [machine](machine-windows-defender-advanced-threat-protection-new.md) identity. +computerDnsName | String | [machine](machine-windows-defender-advanced-threat-protection-new.md) fully qualified name. +firstSeen | DateTimeOffset | First date and time where the [machine](machine-windows-defender-advanced-threat-protection-new.md) was observed by WDATP. +lastSeen | DateTimeOffset | Last date and time where the [machine](machine-windows-defender-advanced-threat-protection-new.md) was observed by WDATP. +osPlatform | String | OS platform. +osVersion | String | OS Version. +lastIpAddress | Ip | Last IP on local NIC on the [machine](machine-windows-defender-advanced-threat-protection-new.md). +lastExternalIpAddress | Ip | Last IP through which the [machine](machine-windows-defender-advanced-threat-protection-new.md) accessed the internet. +agentVersion | String | Version of WDATP agent. +osBuild | Int | OS build number. +healthStatus | Enum | [machine](machine-windows-defender-advanced-threat-protection-new.md) health status. Possible values are: "Active", "Inactive", "ImpairedCommunication", "NoSensorData" and "NoSensorDataImpairedCommunication" +isAadJoined | Boolean | Is [machine](machine-windows-defender-advanced-threat-protection-new.md) AAD joined. +machineTags | String collection | Set of [machine](machine-windows-defender-advanced-threat-protection-new.md) tags. +rbacGroupId | Int | Group ID. +riskScore | String | Risk score as evaludated by WDATP. Possible values are: 'None', 'Low', 'Medium' and 'High'. +aadDeviceId | String | AAD Device ID (when [machine](machine-windows-defender-advanced-threat-protection-new.md) is Aad Joined). \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..6c225819b2 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,48 @@ +--- +title: machineAction resource type +description: Retrieves top recent machineActions. +keywords: apis, supported apis, get, machineaction, recent +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# MachineAction resource type + +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + +Method|Return Type |Description +:---|:---|:--- +[List MachineActions](get-machineactions-collection-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | List [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) entities. +[Get MachineAction](get-machineaction-object-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Get a single [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) entity. +[Collect investigation package](collect-investigation-package-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Collect investigation package from a [machine](machine-windows-defender-advanced-threat-protection-new.md). +[Get investigation package SAS URI](get-package-sas-uri-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Get URI for downloading the investigation package. +[Isolate machine](isolate-machine-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Isolate [machine](machine-windows-defender-advanced-threat-protection-new.md) from network. +[Release machine from isolation](unisolate-machine-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Release [machine](machine-windows-defender-advanced-threat-protection-new.md) from Isolation. +[Restrict app execution](restrict-code-execution-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Restrict application execution. +[Remove app restriction](unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Remove application execution restriction. +[Run antivirus scan](run-av-scan-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Run an AV scan using Windows Defender (when applicable). +[Offboard machine](offboard-machine-api-windows-defender-advanced-threat-protection-new.md)|[Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Offboard [machine](machine-windows-defender-advanced-threat-protection-new.md) from WDATP. + +# Properties +Property | Type | Description +:---|:---|:--- +id | Guid | Identity of the [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) entity. +type | Enum | Type of the action. Possible values are: "RunAntiVirusScan", "Offboard", "CollectInvestigationPackage", "Isolate", "Unisolate", "StopAndQuarantineFile", "RestrictCodeExecution" and "UnrestrictCodeExecution" +requestor | String | Identity of the person that executed the action. +requestorComment | String | Comment that was written when issuing the action. +status | Enum | Current status of the command. Possible values are: "InProgress", "Succeeded", "Failed", "TimeOut" and "Cancelled". +machineId | String | Id of the machine on which the action was executed. +creationDateTimeUtc | DateTimeOffset | The date and time when the action was created. +lastUpdateTimeUtc | DateTimeOffset | The last date and time when the action status was updated. +relatedFileInfo | Class | Contains two Properties. 1) string 'fileIdentifier' 2) Enum 'fileIdentifierType' with the possible values: "Sha1" ,"Sha256" and "Md5". + diff --git a/windows/security/threat-protection/windows-defender-atp/machineactionsnote.md b/windows/security/threat-protection/windows-defender-atp/machineactionsnote.md new file mode 100644 index 0000000000..fcbd68ecec --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/machineactionsnote.md @@ -0,0 +1,6 @@ +--- +ms.date: 08/28/2017 +author: zavidor +--- +>[!Note] +> This page focuses on performing a machine action via API. See [take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md) for more information about response actions functionality via WDATP. diff --git a/windows/security/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md index 830fa8ab3c..71992afbff 100644 --- a/windows/security/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md @@ -19,7 +19,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-machinesview-abovefoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md index 76a5039107..352b56b258 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md @@ -17,7 +17,7 @@ ms.date: 09/03/2018 # Manage Windows Defender Advanced Threat Protection alerts **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-managealerts-abovefoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md index bdecb21ec0..3f276fd070 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md @@ -19,7 +19,7 @@ ms.date: 06/14/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md index c29f83b9b6..99572285a6 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md @@ -19,7 +19,7 @@ ms.date: 04/24/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md index 7fa091f70d..d078349bb4 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md @@ -19,7 +19,7 @@ ms.date: 04/24/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/manage-incidents-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-incidents-windows-defender-advanced-threat-protection.md index 6f9871b74e..83a65ee991 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-incidents-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-incidents-windows-defender-advanced-threat-protection.md @@ -17,7 +17,7 @@ ms.date: 010/08/2018 # Manage Windows Defender ATP incidents **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) [!include[Prerelease information](prerelease.md)] diff --git a/windows/security/threat-protection/windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md index 15632e8fdf..7154f763fb 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md @@ -19,7 +19,7 @@ ms.date: 04/24/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/management-apis.md b/windows/security/threat-protection/windows-defender-atp/management-apis.md index ca0c7f20f7..0837b7356d 100644 --- a/windows/security/threat-protection/windows-defender-atp/management-apis.md +++ b/windows/security/threat-protection/windows-defender-atp/management-apis.md @@ -17,7 +17,7 @@ ms.date: 09/03/2018 # Overview of management and APIs **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-mgt-apis-abovefoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-config.md b/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-config.md index 2e4d201684..ba9be2d111 100644 --- a/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-config.md +++ b/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-config.md @@ -17,7 +17,7 @@ ms.date: 10/19/2018 # Configure Microsoft Cloud App Security in Windows **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) [!include[Prerelease�information](prerelease.md)] diff --git a/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration.md b/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration.md index 6985c976f9..12da630b32 100644 --- a/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration.md +++ b/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration.md @@ -16,7 +16,7 @@ ms.date: 10/18/2018 # Microsoft Cloud App Security in Windows overview **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) [!include[Prerelease�information](prerelease.md)] diff --git a/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md index db250caeda..e9577e41f5 100644 --- a/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md @@ -11,13 +11,13 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 07/01/2018 +ms.date: 11/06/2018 --- # Minimum requirements for Windows Defender ATP **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) There are some minimum requirements for onboarding machines to the service. @@ -30,7 +30,9 @@ Windows Defender Advanced Threat Protection requires one of the following Micros - Windows 10 Education E5 - Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5 -For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us/Licensing/product-licensing/windows10.aspx#tab=2). +For more information on the array of features in Windows 10 editions, see [Compare Windows 10 editions](https://www.microsoft.com/en-us/windowsforbusiness/compare). + +For a detailed comparison table of Windows 10 commercial edition comparison, see the [comparison PDF](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf). ## Related topic diff --git a/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md index 55ddba1528..71a710869a 100644 --- a/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md @@ -11,17 +11,17 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 09/03/2018 +ms.date: 10/29/2018 --- # Managed security service provider support **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-mssp-support-abovefoldlink) -[!include[Prereleaseinformation](prerelease.md)] + Security is recognized as a key component in running an enterprise, however some organizations might not have the capacity or expertise to have a dedicated security operations team to manage the security of their endpoints and network, others may want to have a second set of eyes to review alerts in their network. diff --git a/windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..0200975d55 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,98 @@ +--- +title: Offboard machine API +description: Use this API to offboard a machine from WDATP. +keywords: apis, graph api, supported apis, collect investigation package +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Offboard machine API +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + +Offboard machine from WDATP. + +[!include[Machine actions note](machineactionsnote.md)] + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.Offboard | 'Offboard machine' +Delegated (work or school account) | Machine.Offboard | 'Offboard machine' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to 'Global Admin' AD role +>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +POST https://api.securitycenter.windows.com/api/machines/{id}/offboard +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. +Content-Type | string | application/json. **Required**. + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +Comment | String | Comment to associate with the action. **Required**. + +## Response +If successful, this method returns 201 - Created response code and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) in the response body. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/offboard +Content-type: application/json +{ + "Comment": "Offboard machine by automation" +} +``` + +**Response** + +Here is an example of the response. + +``` +HTTP/1.1 201 Created +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity", + "id": "c9042f9b-8483-4526-87b5-35e4c2532223", + "type": "OffboardMachine", + "requestor": "Analyst@contoso.com", + "requestorComment": "offboard machine by automation", + "status": "InProgress", + "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "creationDateTimeUtc": "2018-12-04T12:09:24.1785079Z", + "lastUpdateTimeUtc": "2018-12-04T12:09:24.1785079Z", + "relatedFileInfo": null +} + +``` diff --git a/windows/security/threat-protection/windows-defender-atp/offboard-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/offboard-machines-windows-defender-advanced-threat-protection.md index c5dbddb3a0..17bba254f9 100644 --- a/windows/security/threat-protection/windows-defender-atp/offboard-machines-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/offboard-machines-windows-defender-advanced-threat-protection.md @@ -21,7 +21,7 @@ ms.date: 04/24/2018 - Linux - Windows Server 2012 R2 - Windows Server 2016 -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md index 33b5461d23..aa40fd346e 100644 --- a/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md @@ -17,7 +17,7 @@ ms.date: 07/01/2018 # Onboard machines to the Windows Defender ATP service **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) You need to turn on the sensor to give visibility within Windows Defender ATP. @@ -42,7 +42,7 @@ For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us - Windows 7 SP1 Pro - Windows 8.1 Enterprise - Windows 8.1 Pro -- Windows 10 +- Windows 10, version 1607 or later - Windows 10 Enterprise - Windows 10 Education - Windows 10 Pro @@ -50,7 +50,8 @@ For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us - Windows server - Windows Server 2012 R2 - Windows Server 2016 - - Windows Server, version 1803 + - Windows Server 2016, version 1803 + - Windows Server 2019 Machines on your network must be running one of these editions. @@ -163,4 +164,4 @@ Topic | Description [Configure proxy and Internet settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)| Enable communication with the Windows Defender ATP cloud service by configuring the proxy and Internet connectivity settings. [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) | Learn about resolving issues that might arise during onboarding. ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink) \ No newline at end of file +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md index b092882ebc..59c6a4e7a2 100644 --- a/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md @@ -22,7 +22,7 @@ ms.date: 10/10/2018 - Windows 7 SP1 Pro - Windows 8.1 Pro - Windows 8.1 Enterprise -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) [!include[Prerelease information](prerelease.md)] diff --git a/windows/security/threat-protection/windows-defender-atp/onboard.md b/windows/security/threat-protection/windows-defender-atp/onboard.md index 461847ca9e..eff2042b2e 100644 --- a/windows/security/threat-protection/windows-defender-atp/onboard.md +++ b/windows/security/threat-protection/windows-defender-atp/onboard.md @@ -17,7 +17,7 @@ ms.date: 09/03/2018 # Configure and manage Windows Defender ATP capabilities **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Configure and manage all the Windows Defender ATP capabilities to get the best security protection for your organization. diff --git a/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction.md index 5d7e92ddb8..fdd308623f 100644 --- a/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction.md @@ -17,7 +17,7 @@ ms.date: 07/01/2018 # Overview of attack surface reduction **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Attack surface reduction capabilities in Windows Defender ATP helps protect the devices and applications in your organization from new and emerging threats. diff --git a/windows/security/threat-protection/windows-defender-atp/overview-custom-detections.md b/windows/security/threat-protection/windows-defender-atp/overview-custom-detections.md index 64bf36aac0..de0be3f887 100644 --- a/windows/security/threat-protection/windows-defender-atp/overview-custom-detections.md +++ b/windows/security/threat-protection/windows-defender-atp/overview-custom-detections.md @@ -11,15 +11,14 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 09/03/2018 +ms.date: 10/29/2018 --- # Custom detections overview **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) -[!include[Prereleaseinformation](prerelease.md)] Alerts in Windows Defender ATP are surfaced through the system based on signals gathered from endpoints. With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. diff --git a/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response.md b/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response.md index ccc6ab2c87..ae60213fe2 100644 --- a/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response.md +++ b/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response.md @@ -17,7 +17,7 @@ ms.date: 09/03/2018 # Overview of endpoint detection and response **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) The Windows Defender ATP endpoint detection and response capabilities provides near real-time actionable advance attacks detections, enables security analysts to effectively prioritize alerts, unfold the full scope of a breach and take response actions to remediate the threat. diff --git a/windows/security/threat-protection/windows-defender-atp/overview-hardware-based-isolation.md b/windows/security/threat-protection/windows-defender-atp/overview-hardware-based-isolation.md index 88596a6cef..99b9d8721c 100644 --- a/windows/security/threat-protection/windows-defender-atp/overview-hardware-based-isolation.md +++ b/windows/security/threat-protection/windows-defender-atp/overview-hardware-based-isolation.md @@ -14,7 +14,7 @@ ms.date: 09/07/2018 # Hardware-based isolation in Windows 10 -**Applies to:** Windows Defender Advanced Threat Protection (Windows Defender ATP) +**Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Hardware-based isolation helps protect system integrity in Windows 10 and is integrated with Windows Defender ATP. diff --git a/windows/security/threat-protection/windows-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md index bacc9fdbc1..5bed487738 100644 --- a/windows/security/threat-protection/windows-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md @@ -16,7 +16,7 @@ ms.date: 09/12/2018 # Overview of advanced hunting **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Advanced hunting allows you to hunt for possible threats across your organization using a powerful search and query tool. You can also create custom detection rules based on the queries you created and surface alerts in Windows Defender Security Center. diff --git a/windows/security/threat-protection/windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md index 5cd11935ed..7e3637ad4f 100644 --- a/windows/security/threat-protection/windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md @@ -16,7 +16,7 @@ ms.date: 09/03/2018 # Overview of Secure score in Windows Defender Security Center **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) The Secure score dashboard expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place. From there you can take action based on the recommended configuration baselines. diff --git a/windows/security/threat-protection/windows-defender-atp/overview.md b/windows/security/threat-protection/windows-defender-atp/overview.md index df560a652f..9741504d5c 100644 --- a/windows/security/threat-protection/windows-defender-atp/overview.md +++ b/windows/security/threat-protection/windows-defender-atp/overview.md @@ -17,7 +17,7 @@ ms.date: 09/03/2018 # Overview of Windows Defender ATP capabilities **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Understand the concepts behind the capabilities in Windows Defender ATP so you take full advantage of the complete threat protection platform. diff --git a/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md index 1457a0d7dd..562664aec0 100644 --- a/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md @@ -17,7 +17,7 @@ ms.date: 04/24/2018 # Windows Defender Advanced Threat Protection portal overview **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..1a2575ea36 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,115 @@ +--- +title: Submit or Update Ti Indicator API +description: Use this API to submit or Update Ti Indicator. +keywords: apis, graph api, supported apis, submit, ti, ti indicator, update +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Submit or Update TI Indicator API + +[!include[Prerelease information](prerelease.md)] + +>[!Note] +> Currently this API is supported only for AppOnly context requests. (See [Get access without a user](exposed-apis-create-app-webapp.md) for more information) + + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +- Submits or Updates new [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. + + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Ti.ReadWrite | 'Read and write TI Indicators' + + +## HTTP request +``` +POST https://api.securitycenter.windows.com/api/tiindicators +``` + +[!include[Improve request performance](improverequestperformance-new.md)] + + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. +Content-Type | string | application/json. **Required**. + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +indicator | String | Identity of the [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. **Required** +indicatorType | Enum | Type of the indicator. Possible values are: "FileSha1", "FileSha256", "IpAddress", "DomainName" and "Url". **Required** +action | Enum | The action that will be taken if the indicator will be discovered in the organization. Possible values are: "Alert", "AlertAndBlock", and "Allowed". **Required** +title | String | TI indicator alert title. **Optional** +expirationTime | DateTimeOffset | The expiration time of the indicator. **Optional** +severity | Enum | The severity of the indicator. possible values are: "Informational", "Low", "Medium" and "High". **Optional** +description | String | Description of the indicator. **Optional** +recommendedActions | String | TI indicator alert recommended actions. **Optional** + + +## Response +- If successful, this method returns 200 - OK response code and the created / updated [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity in the response body. +- If not successful: this method return 400 - Bad Request / 409 - Conflict with the failure reason. Bad request usually indicates incorrect body and Conflict can happen if you try to submit a TI Indicator with existing indicator value but with different Indicator type or Action. + +## Example + +**Request** + +Here is an example of the request. + +``` +POST https://api.securitycenter.windows.com/api/tiindicators +Content-type: application/json +{ + "indicator": "220e7d15b0b3d7fac48f2bd61114db1022197f7f", + "indicatorType": "FileSha1", + "title": "test", + "expirationTime": "2020-12-12T00:00:00Z", + "action": "AlertAndBlock", + "severity": "Informational", + "description": "test", + "recommendedActions": "TEST" +} + +``` +**Response** + +Here is an example of the response. + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity", + "indicator": "220e7d15b0b3d7fac48f2bd61114db1022197f7f", + "indicatorType": "FileSha1", + "title": "test", + "creationTimeDateTimeUtc": "2018-10-24T10:54:23.2009016Z", + "createdBy": "45097602-1234-5678-1234-9f453233e62c", + "expirationTime": "2020-12-12T00:00:00Z", + "action": "AlertAndBlock", + "severity": "Informational", + "description": "test", + "recommendedActions": "TEST" +} + +``` diff --git a/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md index 9cac40a33b..2af3d35376 100644 --- a/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md @@ -17,7 +17,7 @@ ms.date: 10/19/2018 # Create and build Power BI reports using Windows Defender ATP data **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) @@ -200,5 +200,10 @@ There are a couple of tabs on the report that's generated: In general, if you know of a specific threat name, CVE, or KB, you can identify machines with unpatched vulnerabilities that might be leveraged by threats. This report also helps you determine whether machine-level mitigations are configured correctly on the machines and prioritize those that might need attention. +## Related topic +- [**Beta** Create custom Power BI reports](run-advanced-query-sample-power-bi-app-token.md) + + + diff --git a/windows/security/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md index b61ff7d784..545da6110c 100644 --- a/windows/security/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md @@ -17,7 +17,7 @@ ms.date: 04/24/2018 # PowerShell code examples for the custom threat intelligence API **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md index 828c4d45ac..d408ead55e 100644 --- a/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md @@ -16,7 +16,7 @@ ms.date: 04/24/2018 # Configure Windows Defender Security Center settings **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-prefsettings-abovefoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md index 2e309e3b2e..a3411e8a2a 100644 --- a/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md @@ -16,7 +16,7 @@ ms.date: 04/24/2018 # Turn on the preview experience in Windows Defender ATP **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md index 33048913ee..f77b086c9e 100644 --- a/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md @@ -11,13 +11,13 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 09/03/2018 +ms.date: 11/05/2018 --- # Windows Defender ATP preview features **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) @@ -39,25 +39,10 @@ Turn on the preview experience setting to be among the first to try upcoming fea ## Preview features The following features are included in the preview release: -- [Threat analytics](threat-analytics.md)
      -Threat Analytics is a set of interactive reports published by the Windows Defender ATP research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats. - - [Incidents](incidents-queue.md)
      Windows Defender ATP applies correlation analytics and aggregates all related alerts and investigations into an incident. Doing so helps narrate a broader story of an attack, thus providing you with the right visuals (upgraded incident graph) and data representations to understand and deal with complex cross-entity threats to your organization's network. -- [Custom detection](overview-custom-detections.md)
      - With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules. - - -- [Managed security service provider (MSSP) support](mssp-support-windows-defender-advanced-threat-protection.md)
      -Windows Defender ATP adds support for this scenario by providing MSSP integration. -The integration will allow MSSPs to take the following actions: -Get access to MSSP customer's Windows Defender Security Center portal, fet email notifications, and fetch alerts through security information and event management (SIEM) tools. - -- [Integration with Azure Security Center](configure-server-endpoints-windows-defender-advanced-threat-protection.md#integration-with-azure-security-center)
      -Windows Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Windows Defender ATP to provide improved threat detection for Windows Servers. - - [Integration with Microsoft Cloud App Security](microsoft-cloud-app-security-integration.md)
      Microsoft Cloud App Security leverages Windows Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Windows Defender ATP monitored machines. diff --git a/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md index 52d6e869ad..4ede6cb172 100644 --- a/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md @@ -17,7 +17,7 @@ ms.date: 10/26/2018 # Pull Windows Defender ATP alerts using REST API **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) @@ -42,7 +42,7 @@ The _Client credential flow_ uses client credentials to authenticate against the Use the following method in the Windows Defender ATP API to pull alerts in JSON format. >[!NOTE] ->Only alerts with a status as "new" are pulled. Alerts that are "in progress" or "resolved" will not be pulled. +>Windows Defender Security Center merges similar alert detections into a single alert. This API pulls alert detections in its raw form based on the query parameters you set, enabling you to apply your own grouping and filtering. ## Before you begin - Before calling the Windows Defender ATP endpoint to pull alerts, you'll need to enable the SIEM integration application in Azure Active Directory (AAD). For more information, see [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md). diff --git a/windows/security/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md index 46742baa03..57d3428cbc 100644 --- a/windows/security/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md @@ -19,7 +19,7 @@ ms.date: 04/24/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md index 5503cf2607..bc2837f2bb 100644 --- a/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md @@ -18,7 +18,7 @@ ms.date: 05/08/2018 **Applies to:** - Azure Active Directory - Office 365 -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-rbac-abovefoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md index d9baf6c10d..94706ede5a 100644 --- a/windows/security/threat-protection/windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md @@ -14,13 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Request sample API +# Request sample API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecatedinformation](deprecate.md)] Request sample of a file from a specific machine. File will be collected from the machine and uploaded to a secure storage. diff --git a/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md index 37af693216..e6e881df90 100644 --- a/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md @@ -17,7 +17,7 @@ ms.date: 04/24/2018 # Take response actions on a file **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md index 0519af3f67..3ad2b9c1a8 100644 --- a/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md @@ -11,13 +11,13 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 12/12/2017 +ms.date: 11/05/2018 --- # Take response actions on a machine **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-respondmachine-abovefoldlink) @@ -182,7 +182,7 @@ Depending on the severity of the attack and the sensitivity of the machine, you This machine isolation feature disconnects the compromised machine from the network while retaining connectivity to the Windows Defender ATP service, which continues to monitor the machine. -On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can also choose to enable Outlook and Skype for Business connectivity. +On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can also choose to enable Outlook and Skype for Business connectivity (a.k.a 'Selective Isolation'). >[!NOTE] >You’ll be able to reconnect the machine back to the network at any time. @@ -198,7 +198,7 @@ On Windows 10, version 1709 or later, you'll have additional control over the ne ![Image of isolate machine](images/atp-actions-isolate-machine.png) -3. Select the check-box if you'd like to enable Outlook and Skype communication while the machine is isolated. +3. Select the check-box if you'd like to enable Outlook and Skype communication while the machine is isolated (a.k.a. 'Selective Isolation'). ![Image of isolation confirmation](images/atp-confirm-isolate.png) diff --git a/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md index 565ee7cc61..202606d056 100644 --- a/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md @@ -17,7 +17,7 @@ ms.date: 11/12/2017 # Take response actions in Windows Defender ATP **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..d57876fdc0 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,101 @@ +--- +title: Restrict app execution API +description: Use this API to create calls related to restricting an application from executing. +keywords: apis, graph api, supported apis, collect investigation package +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Restrict app execution API +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + +Restrict execution of all applications on the machine except a predefined set (see [Response machine alerts](respond-machine-alerts-windows-defender-advanced-threat-protection.md) for more information) + +[!include[Machine actions note](machineactionsnote.md)] + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.RestrictExecution | 'Restrict code execution' +Delegated (work or school account) | Machine.RestrictExecution | 'Restrict code execution' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +POST https://api.securitycenter.windows.com/api/machines/{id}/restrictCodeExecution +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. +Content-Type | string | application/json. **Required**. + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +Comment | String | Comment to associate with the action. **Required**. + +## Response +If successful, this method returns 201 - Created response code and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) in the response body. + + +## Example + +**Request** + +Here is an example of the request. + +``` +POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/restrictCodeExecution +Content-type: application/json +{ + "Comment": "Restrict code execution due to alert 1234" +} + +``` +**Response** + +Here is an example of the response. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +HTTP/1.1 201 Created +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity", + "id": "78d408d1-384c-4c19-8b57-ba39e378011a", + "type": "RestrictCodeExecution", + "requestor": "Analyst@contoso.com ", + "requestorComment": "Restrict code execution due to alert 1234", + "status": "InProgress", + "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "creationDateTimeUtc": "2018-12-04T12:15:04.3825985Z", + "lastUpdateTimeUtc": "2018-12-04T12:15:04.3825985Z", + "relatedFileInfo": null +} + +``` + +To remove code execution restriction from a machine, see [Remove app restriction](unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md). + diff --git a/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md index c3845d021a..1722b1f921 100644 --- a/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md @@ -14,12 +14,12 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Restrict app execution API +# Restrict app execution API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecatedinformation](deprecate.md)] Restrict execution of set of predefined applications. diff --git a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-api.md b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-api.md new file mode 100644 index 0000000000..8decfce57c --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-api.md @@ -0,0 +1,151 @@ +--- +title: Advanced Hunting API +description: Use this API to run advanced queries +keywords: apis, supported apis, advanced hunting, query +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 09/03/2018 +--- + +# Advanced hunting API +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + +[!include[Prerelease information](prerelease.md)] + + + +This API allows you to run programmatic queries that you are used to running from [Windows Defender ATP Portal](https://securitycenter.windows.com/hunting). + + +## Limitations +This API is a beta version only and is currently restricted to the following actions: +1. ​You can only run a query on data from the last 30 days +2. The results will include a maximum of 10,000 rows +3. The number of executions is limited​ (up to 15 calls per minute, 15 minutes of running time every hour and 4 hours of running time a day) + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | AdvancedQuery.Read.All | 'Run advanced queries' +Delegated (work or school account) | AdvancedQuery.Read | 'Run advanced queries' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have 'Global Admin' AD role (note: will be updated soon to 'View Data') +>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +POST https://api.securitycenter.windows.com/api/advancedqueries/run +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content-Type | application/json + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +Query | Text | The query to run. **Required**. + +## Response +If successful, this method returns 200 OK, and _QueryResponse_ object in the response body. + + +## Example + +Request + +Here is an example of the request. + +>[!NOTE] +>For better performance, you can use server closer to your geo location: +> - api-us.securitycenter.windows.com +> - api-eu.securitycenter.windows.com +> - api-uk.securitycenter.windows.com + +``` +POST https://api.securitycenter.windows.com/api/advancedqueries/run +Content-type: application/json +{ + "Query":"ProcessCreationEvents +| where InitiatingProcessFileName =~ \"powershell.exe\" +| where ProcessCommandLine contains \"appdata\" +| project EventTime, FileName, InitiatingProcessFileName +| limit 2" +} +``` + +Response + +Here is an example of the response. + +>[!NOTE] +>The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call. + +``` +HTTP/1.1 200 OK +Content-Type: application/json​ +{ + "Schema": [{ + "Name": "EventTime", + "Type": "DateTime" + }, + { + "Name": "FileName", + "Type": "String" + }, + { + "Name": "InitiatingProcessFileName", + "Type": "String" + }], + "Results": [{ + "EventTime": "2018-07-09T07:16:26.8017265", + "FileName": "csc.exe", + "InitiatingProcessFileName": "powershell.exe" + }, + { + "EventTime": "2018-07-08T19:00:02.7798905", + "FileName": "gpresult.exe", + "InitiatingProcessFileName": "powershell.exe" + }] +} + + +``` + +## T​roubl​eshoot issues + +- Error: (403) Forbidden + + + If you get this error when calling Windows Defender ATP API, your token might not include the necessary permission. + + Check [app permissions](exposed-apis-create-app-webapp.md#validate-the-token) or [delegated permissions](exposed-apis-create-app-nativeapp.md#validate-the-token) included in your token. + + If the 'roles' section in the token does not include the necessary permission: + + - The necessary permission to your app might not have been granted. For more information, see [Access Windows Defender ATP without a user](exposed-apis-create-app-webapp.md#create-an-app) or [Access Windows Defender ATP on behalf of a user](exposed-apis-create-app-nativeapp.md#create-an-app) or, + - The app was not authorized in the tenant, see [Application consent](exposed-apis-create-app-webapp.md#application-consent). + + +## Related topic +- [Windows Defender ATP APIs](apis-intro.md) +- [Advanced Hunting from Portal](advanced-hunting-windows-defender-advanced-threat-protection.md) +- [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md) +- [Schedule Advanced Hunting](run-advanced-query-sample-ms-flow.md) diff --git a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-ms-flow.md b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-ms-flow.md new file mode 100644 index 0000000000..d5e16fbf5a --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-ms-flow.md @@ -0,0 +1,88 @@ +--- +title: Advanced Hunting API +description: Use this API to run advanced queries +keywords: apis, supported apis, advanced hunting, query +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 09/24/2018 +--- + +# Schedule Advanced Hunting using Microsoft Flow +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prerelease information](prerelease.md)] + +Schedule advanced query. + +## Before you begin +You first need to [create an app](apis-intro.md). + +## Use case + +A common scenario is scheduling an advanced query and using the results for follow up actions and processing. +In this section we share sample for this purpose using [Microsoft Flow](https://flow.microsoft.com/) (or [Logic Apps](https://azure.microsoft.com/en-us/services/logic-apps/)). + +## Define a flow to run query and parse results + +Use the following basic flow as an example. + +1. Define the trigger – Recurrence by time. + +2. Add an action: Select HTTP. + + ![Image of MsFlow choose an action](images/ms-flow-choose-action.png) + + - Set method to be POST + - Uri is https://api.securitycenter.windows.com/api/advancedqueries/run or one of the region specific locations + - US: https://api-us.securitycenter.windows.com/api/advancedqueries/run + - Europe: https://api-eu.securitycenter.windows.com/api/advancedqueries/run + - United Kingdom: https://api-uk.securitycenter.windows.com/api/advancedqueries/run + - Add the Header: Content-Type application/json + - In the body write your query surrounded by single quotation mark (') + - In the Advanced options select Authentication to be Active Directory OAuth + - Set the Tenant with proper AAD Tenant Id + - Audience is https://api.securitycenter.windows.com + - Client ID is your application ID + - Credential Type should be Secret + - Secret is the application secret generated in the Azure Active directory. + + ![Image of MsFlow define action](images/ms-flow-define-action.png) + +3. You can use the "Parse JSON" action to get the schema of data – just "use sample payload to generate schema" and copy an output from of the expected result. + + ![Image of MsFlow parse json](images/ms-flow-parse-json.png) + +## Expand the flow to use the query results + +The following section shows how to use the parsed results to insert them in SQL database. + +This is an example only, you can use other actions supported by Microsoft Flow. + +- Add an 'Apply to each' action +- Select the Results json (which was an output of the last parse action) +- Add an 'Insert row' action – you will need to supply the connection details +- Select the table you want to update and define the mapping between the WD-ATP output to the SQL. Note it is possible to manipulate the data inside the flow. In the example I changed the type of the EventTime. + +![Image of insert into DB](images/ms-flow-insert-db.png) + +The output in the SQL DB is getting updates and can be used for correlation with other data sources. You can now read from your table: + +![Image of select from DB](images/ms-flow-read-db.png) + +## Full flow definition + +You can find below the full definition + +![Image of E2E flow](images/ms-flow-e2e.png) + +## Related topic +- [Windows Defender ATP APIs](apis-intro.md) +- [Advanced Hunting API](run-advanced-query-api.md) +- [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-app-token.md b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-app-token.md new file mode 100644 index 0000000000..ce6ccb012c --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-app-token.md @@ -0,0 +1,134 @@ +--- +title: Advanced Hunting API +description: Use this API to run advanced queries +keywords: apis, supported apis, advanced hunting, query +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 30/07/2018 +--- + +# Create custom reports using Power BI (app authentication) + +Run advanced queries and show results in Microsoft Power BI. Please read about [Advanced Hunting API](run-advanced-query-api.md) before. + +In this section we share Power BI query sample to run a query using **application token**. + +If you want to use **user token** instead please refer to [this](run-advanced-query-sample-power-bi-user-token.md) tutorial. + +>**Prerequisite**: You first need to [create an app](exposed-apis-create-app-webapp.md). + +## Run a query + +- Open Microsoft Power BI + +- Click **Get Data** > **Blank Query** + + ![Image of create blank query](images/power-bi-create-blank-query.png) + +- Click **Advanced Editor** + + ![Image of open advanced editor](images/power-bi-open-advanced-editor.png) + +- Copy the below and paste it in the editor, after you update the values of TenantId, AppId, AppSecret, Query + + ``` + let + + TenantId = "00000000-0000-0000-0000-000000000000", // Paste your own tenant ID here + AppId = "11111111-1111-1111-1111-111111111111", // Paste your own app ID here + AppSecret = "22222222-2222-2222-2222-222222222222", // Paste your own app secret here + Query = "MachineInfo | where EventTime > ago(7d) | summarize EventCount=count(), LastSeen=max(EventTime) by MachineId", // Paste your own query here + + ResourceAppIdUrl = "https://api.securitycenter.windows.com", + OAuthUrl = Text.Combine({"https://login.windows.net/", TenantId, "/oauth2/token"}, ""), + + Resource = Text.Combine({"resource", Uri.EscapeDataString(ResourceAppIdUrl)}, "="), + ClientId = Text.Combine({"client_id", AppId}, "="), + ClientSecret = Text.Combine({"client_secret", Uri.EscapeDataString(AppSecret)}, "="), + GrantType = Text.Combine({"grant_type", "client_credentials"}, "="), + + Body = Text.Combine({Resource, ClientId, ClientSecret, GrantType}, "&"), + + AuthResponse= Json.Document(Web.Contents(OAuthUrl, [Content=Text.ToBinary(Body)])), + AccessToken= AuthResponse[access_token], + Bearer = Text.Combine({"Bearer", AccessToken}, " "), + + AdvancedHuntingUrl = "https://api.securitycenter.windows.com/api/advancedqueries/run", + + Response = Json.Document(Web.Contents( + AdvancedHuntingUrl, + [ + Headers = [#"Content-Type"="application/json", #"Accept"="application/json", #"Authorization"=Bearer], + Content=Json.FromValue([#"Query"=Query]) + ] + )), + + TypeMap = #table( + { "Type", "PowerBiType" }, + { + { "Double", Double.Type }, + { "Int64", Int64.Type }, + { "Int32", Int32.Type }, + { "Int16", Int16.Type }, + { "UInt64", Number.Type }, + { "UInt32", Number.Type }, + { "UInt16", Number.Type }, + { "Byte", Byte.Type }, + { "Single", Single.Type }, + { "Decimal", Decimal.Type }, + { "TimeSpan", Duration.Type }, + { "DateTime", DateTimeZone.Type }, + { "String", Text.Type }, + { "Boolean", Logical.Type }, + { "SByte", Logical.Type }, + { "Guid", Text.Type } + }), + + Schema = Table.FromRecords(Response[Schema]), + TypedSchema = Table.Join(Table.SelectColumns(Schema, {"Name", "Type"}), {"Type"}, TypeMap , {"Type"}), + Results = Response[Results], + Rows = Table.FromRecords(Results, Schema[Name]), + Table = Table.TransformColumnTypes(Rows, Table.ToList(TypedSchema, (c) => {c{0}, c{2}})) + + in Table + + ``` + +- Click **Done** + + ![Image of create advanced query](images/power-bi-create-advanced-query.png) + +- Click **Edit Credentials** + + ![Image of edit credentials](images/power-bi-edit-credentials.png) + +- Select **Anonymous** and click **Connect** + + ![Image of set credentials](images/power-bi-set-credentials-anonymous.png) + +- Repeat the previous step for the second URL + +- Click **Continue** + + ![Image of edit data privacy](images/power-bi-edit-data-privacy.png) + +- Select the privacy level you want and click **Save** + + ![Image of set data privacy](images/power-bi-set-data-privacy.png) + +- View the results of your query + + ![Image of query results](images/power-bi-query-results.png) + +## Related topic +- [Create custom Power BI reports with user authentication](run-advanced-query-sample-power-bi-user-token.md) +- [Windows Defender ATP APIs](apis-intro.md) +- [Advanced Hunting API](run-advanced-query-api.md) +- [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md) +- [Schedule Advanced Hunting](run-advanced-query-sample-ms-flow.md) diff --git a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-user-token.md b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-user-token.md new file mode 100644 index 0000000000..b065578d98 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-user-token.md @@ -0,0 +1,115 @@ +--- +title: Advanced Hunting API +description: Use this API to run advanced queries +keywords: apis, supported apis, advanced hunting, query +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 30/07/2018 +--- + +# Create custom reports using Power BI (user authentication) +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prerelease information](prerelease.md)] + + +Run advanced queries and show results in Microsoft Power BI. Please read about [Advanced Hunting API](run-advanced-query-api.md) before. + +In this section we share Power BI query sample to run a query using **user token**. + +If you want to use **application token** instead please refer to [this](run-advanced-query-sample-power-bi-app-token.md) tutorial. + +## Before you begin +You first need to [create an app](exposed-apis-create-app-nativeapp.md). + +## Run a query + +- Open Microsoft Power BI + +- Click **Get Data** > **Blank Query** + + ![Image of create blank query](images/power-bi-create-blank-query.png) + +- Click **Advanced Editor** + + ![Image of open advanced editor](images/power-bi-open-advanced-editor.png) + +- Copy the below and paste it in the editor, after you update the values of Query + + ``` + let + + Query = "MachineInfo | where EventTime > ago(7d) | summarize EventCount=count(), LastSeen=max(EventTime) by MachineId", + + FormattedQuery= Uri.EscapeDataString(Query), + + AdvancedHuntingUrl = "https://api.securitycenter.windows.com/api/advancedqueries?key=" & FormattedQuery, + + Response = Json.Document(Web.Contents(AdvancedHuntingUrl)), + + TypeMap = #table( + { "Type", "PowerBiType" }, + { + { "Double", Double.Type }, + { "Int64", Int64.Type }, + { "Int32", Int32.Type }, + { "Int16", Int16.Type }, + { "UInt64", Number.Type }, + { "UInt32", Number.Type }, + { "UInt16", Number.Type }, + { "Byte", Byte.Type }, + { "Single", Single.Type }, + { "Decimal", Decimal.Type }, + { "TimeSpan", Duration.Type }, + { "DateTime", DateTimeZone.Type }, + { "String", Text.Type }, + { "Boolean", Logical.Type }, + { "SByte", Logical.Type }, + { "Guid", Text.Type } + }), + + Schema = Table.FromRecords(Response[Schema]), + TypedSchema = Table.Join(Table.SelectColumns(Schema, {"Name", "Type"}), {"Type"}, TypeMap , {"Type"}), + Results = Response[Results], + Rows = Table.FromRecords(Results, Schema[Name]), + Table = Table.TransformColumnTypes(Rows, Table.ToList(TypedSchema, (c) => {c{0}, c{2}})) + + in Table + + ``` + +- Click **Done** + + ![Image of create advanced query](images/power-bi-create-advanced-query.png) + +- Click **Edit Credentials** + + ![Image of edit credentials](images/power-bi-edit-credentials.png) + +- Select **Organizational account** > **Sign in** + + ![Image of set credentials](images/power-bi-set-credentials-organizational.png) + +- Enter your credentials and wait to be signed in + +- Click **Connect** + + ![Image of set credentials](images/power-bi-set-credentials-organizational-cont.png) + +- View the results of your query + + ![Image of query results](images/power-bi-query-results.png) + +## Related topic +- [Create custom Power BI reports with app authentication](run-advanced-query-sample-power-bi-app-token.md) +- [Windows Defender ATP APIs](apis-intro.md) +- [Advanced Hunting API](run-advanced-query-api.md) +- [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md) +- [Schedule Advanced Hunting](run-advanced-query-sample-ms-flow.md) diff --git a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-powershell.md b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-powershell.md new file mode 100644 index 0000000000..76fa741ab6 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-powershell.md @@ -0,0 +1,119 @@ +--- +title: Advanced Hunting API +description: Use this API to run advanced queries +keywords: apis, supported apis, advanced hunting, query +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 09/24/2018 +--- + +# Advanced Hunting using PowerShell +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prerelease information](prerelease.md)] + + +Run advanced queries using PowerShell, see [Advanced Hunting API](run-advanced-query-api.md). + +In this section we share PowerShell samples to retrieve a token and use it to run a query. + +## Before you begin +You first need to [create an app](apis-intro.md). + +## Preparation instructions + +- Open a PowerShell window. +- If your policy does not allow you to run the PowerShell commands, you can run the below command: +``` +Set-ExecutionPolicy -ExecutionPolicy Bypass +``` + +>For more details, see [PowerShell documentation](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy) + +## Get token + +- Run the following: + +``` +$tenantId = '00000000-0000-0000-0000-000000000000' # Paste your own tenant ID here +$appId = '11111111-1111-1111-1111-111111111111' # Paste your own app ID here +$appSecret = '22222222-2222-2222-2222-222222222222' # Paste your own app secret here + +$resourceAppIdUri = 'https://api.securitycenter.windows.com' +$oAuthUri = "https://login.windows.net/$TenantId/oauth2/token" +$body = [Ordered] @{ + resource = "$resourceAppIdUri" + client_id = "$appId" + client_secret = "$appSecret" + grant_type = 'client_credentials' +} +$response = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $body -ErrorAction Stop +$aadToken = $response.access_token + +``` + +where +- $tenantId: ID of the tenant on behalf of which you want to run the query (i.e., the query will be run on the data of this tenant) +- $appId: ID of your AAD app (the app must have 'Run advanced queries' permission to WDATP) +- $appSecret: Secret of your AAD app + +## Run query + +Run the following query: + +``` +$query = 'RegistryEvents | limit 10' # Paste your own query here + +$url = "https://api.securitycenter.windows.com/api/advancedqueries/run" +$headers = @{ + 'Content-Type' = 'application/json' + Accept = 'application/json' + Authorization = "Bearer $aadToken" +} +$body = ConvertTo-Json -InputObject @{ 'Query' = $query } +$webResponse = Invoke-WebRequest -Method Post -Uri $url -Headers $headers -Body $body -ErrorAction Stop +$response = $webResponse | ConvertFrom-Json +$results = $response.Results +$schema = $response.Schema +``` + +- $results contains the results of your query +- $schema contains the schema of the results of your query + +### Complex queries + +If you want to run complex queries (or multilines queries), save your query in a file and, instead of the first line in the above sample, run the below command: + +``` +$query = [IO.File]::ReadAllText("C:\myQuery.txt"); # Replace with the path to your file +``` + +## Work with query results + +You can now use the query results. + +To output the results of the query in CSV format in file file1.csv do the below: + +``` +$results | ConvertTo-Csv -NoTypeInformation | Set-Content file1.csv +``` + +To output the results of the query in JSON format in file file1.json​ do the below: + +``` +$results | ConvertTo-Json | Set-Content file1.json +``` + + +## Related topic +- [Windows Defender ATP APIs](apis-intro.md) +- [Advanced Hunting API](run-advanced-query-api.md) +- [Advanced Hunting using Python](run-advanced-query-sample-python.md) +- [Schedule Advanced Hunting](run-advanced-query-sample-ms-flow.md) diff --git a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-python.md b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-python.md new file mode 100644 index 0000000000..71784d6ccd --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-python.md @@ -0,0 +1,146 @@ +--- +title: Advanced Hunting API +description: Use this API to run advanced queries +keywords: apis, supported apis, advanced hunting, query +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 30/07/2018 +--- + +# Advanced Hunting using Python +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prerelease information](prerelease.md)] + +Run advanced queries using Python, see [Advanced Hunting API](run-advanced-query-api.md). + +In this section we share Python samples to retrieve a token and use it to run a query. + +>**Prerequisite**: You first need to [create an app](apis-intro.md). + +## Get token + +- Run the following: + +``` + +import json +import urllib.request +import urllib.parse + +tenantId = '00000000-0000-0000-0000-000000000000' # Paste your own tenant ID here +appId = '11111111-1111-1111-1111-111111111111' # Paste your own app ID here +appSecret = '22222222-2222-2222-2222-222222222222' # Paste your own app secret here + +url = "https://login.windows.net/%s/oauth2/token" % (tenantId) + +resourceAppIdUri = 'https://api.securitycenter.windows.com' + +body = { + 'resource' : resourceAppIdUri, + 'client_id' : appId, + 'client_secret' : appSecret, + 'grant_type' : 'client_credentials' +} + +data = urllib.parse.urlencode(body).encode("utf-8") + +req = urllib.request.Request(url, data) +response = urllib.request.urlopen(req) +jsonResponse = json.loads(response.read()) +aadToken = jsonResponse["access_token"] + +``` + +where +- tenantId: ID of the tenant on behalf of which you want to run the query (i.e., the query will be run on the data of this tenant) +- appId: ID of your AAD app (the app must have 'Run advanced queries' permission to WDATP) +- appSecret: Secret of your AAD app + +## Run query + + Run the following query: + +``` +query = 'RegistryEvents | limit 10' # Paste your own query here + +url = "https://api.securitycenter.windows.com/api/advancedqueries/run" +headers = { + 'Content-Type' : 'application/json', + 'Accept' : 'application/json', + 'Authorization' : "Bearer " + aadToken +} + +data = json.dumps({ 'Query' : query }).encode("utf-8") + +req = urllib.request.Request(url, data, headers) +response = urllib.request.urlopen(req) +jsonResponse = json.loads(response.read()) +schema = jsonResponse["Schema"] +results = jsonResponse["Results"] + +``` + +- schema contains the schema of the results of your query +- results contains the results of your query + +### Complex queries + +If you want to run complex queries (or multilines queries), save your query in a file and, instead of the first line in the above sample, run the below command: + +``` +queryFile = open("D:\\Temp\\myQuery.txt", 'r') # Replace with the path to your file +query = queryFile.read() +queryFile.close() +``` + +## Work with query results + +You can now use the query results. + +To iterate over the results do the below: + +``` +for result in results: + print(result) # Prints the whole result + print(result["EventTime"]) # Prints only the property 'EventTime' from the result + + +``` + + +To output the results of the query in CSV format in file file1.csv do the below: + +``` +import csv + +outputFile = open("D:\\Temp\\file1.csv", 'w') +output = csv.writer(outputFile) +output.writerow(results[0].keys()) +for result in results: + output.writerow(result.values()) + +outputFile.close() +``` + +To output the results of the query in JSON format in file file1.json​ do the below: + +``` +outputFile = open("D:\\Temp\\file1.json", 'w') +json.dump(results, outputFile) +outputFile.close() +``` + + +## Related topic +- [Windows Defender ATP APIs](apis-intro.md) +- [Advanced Hunting API](run-advanced-query-api.md) +- [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md) +- [Schedule Advanced Hunting](run-advanced-query-sample-ms-flow.md) diff --git a/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..c9ae44eb2b --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,107 @@ +--- +title: Run antivirus scan API +description: Use this API to create calls related to running an antivirus scan on a machine. +keywords: apis, graph api, supported apis, remove machine from isolation +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Run antivirus scan API +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prerelease information](prerelease.md)] + +Initiate Windows Defender Antivirus scan on a machine. + +[!include[Machine actions note](machineactionsnote.md)] + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.Scan | 'Scan machine' +Delegated (work or school account) | Machine.Scan | 'Scan machine' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +POST https://api.securitycenter.windows.com/api/machines/{id}/runAntiVirusScan +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. +Content-Type | string | application/json + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +Comment | String | Comment to associate with the action. **Required**. +ScanType| String | Defines the type of the Scan. **Required**. + +**ScanType** controls the type of scan to perform and can be one of the following: + +- **Quick** – Perform quick scan on the machine +- **Full** – Perform full scan on the machine + + + +## Response +If successful, this method returns 201, Created response code and _MachineAction_ object in the response body. + + +## Example + +**Request** + +Here is an example of the request. + +``` +POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/runAntiVirusScan +Content-type: application/json +{ + "Comment": "Check machine for viruses due to alert 3212", + “ScanType”: “Full” +} +``` + +**Response** + +Here is an example of the response. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +HTTP/1.1 201 Created +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity", + "id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba", + "type": "RunAntiVirusScan", + "requestor": "Analyst@contoso.com", + "requestorComment": "Check machine for viruses due to alert 3212", + "status": "InProgress", + "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "creationDateTimeUtc": "2018-12-04T12:18:27.1293487Z", + "lastUpdateTimeUtc": "2018-12-04T12:18:27.1293487Z", + "relatedFileInfo": null +} + +``` diff --git a/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md index 52cab18906..40d0e7da3f 100644 --- a/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md @@ -14,12 +14,12 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Run antivirus scan API +# Run antivirus scan API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecated information](deprecate.md)] Initiate Windows Defender Antivirus scan on the machine. diff --git a/windows/security/threat-protection/windows-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md index ad6fbc2bec..e0cf7f036b 100644 --- a/windows/security/threat-protection/windows-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md @@ -22,7 +22,7 @@ ms.date: 09/07/2018 - Windows Server 2016 - Windows Server, version 1803 - Windows Server, 2019 -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Run the following PowerShell script on a newly onboarded machine to verify that it is properly reporting to the Windows Defender ATP service. diff --git a/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md index 1ca8dbce8e..6fff222564 100644 --- a/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md @@ -10,12 +10,12 @@ ms.sitesec: library ms.pagetype: security author: mjcaparas ms.localizationpriority: medium -ms.date: 04/24/2018 +ms.date: 10/26/2018 --- # Configure the security controls in Secure score **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Each security control lists recommendations that you can take to increase the security posture of your organization. @@ -175,6 +175,10 @@ For more information, see [Windows Defender Application Guard overview](../windo ### Windows Defender SmartScreen optimization For a machine to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for Windows Defender SmartScreen is fulfilled. +>[!WARNING] +> Data collected by Windows Defender SmartScreen might be stored and processed outside of the storage location you have selected for your Windows Defender ATP data. + + >[!IMPORTANT] >This security control is only applicable for machines with Windows 10, version 1709 or later. diff --git a/windows/security/threat-protection/windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md index 907d6c7b27..a5f69cd49c 100644 --- a/windows/security/threat-protection/windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md @@ -17,7 +17,7 @@ ms.date: 09/04/2018 # Windows Defender Security Center Security operations dashboard **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-secopsdashboard-abovefoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md index 65de179e29..b74a5f896b 100644 --- a/windows/security/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md @@ -17,7 +17,7 @@ ms.date: 04/24/2018 # Check the Windows Defender Advanced Threat Protection service health **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md index 837e642aa1..078ced8e48 100644 --- a/windows/security/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md @@ -14,12 +14,12 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Stop and quarantine file API +# Stop and quarantine file API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecated information](deprecate.md)] Stop execution of a file on a machine and ensure it’s not executed again on that machine. diff --git a/windows/security/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md index 83fbe686fb..aff0ccd147 100644 --- a/windows/security/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md @@ -14,15 +14,14 @@ ms.localizationpriority: medium ms.date: 09/03/2018 --- -# Supported Windows Defender ATP query APIs +# Supported Windows Defender ATP query APIs (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecatedinformation](deprecate.md)] ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-supportedapis-abovefoldlink) - Learn more about the individual supported entities where you can run API calls to and details such as HTTP request values, request headers and expected responses. ## In this section @@ -38,5 +37,4 @@ User | Run API calls such as get alert related user information, user informatio KbInfo | Run API call that gets list of Windows KB's information CveKbMap | Run API call that gets mapping of CVE's to corresponding KB's MachineSecurityStates | Run API call that gets list of machines with their security properties and versions -MachineGroups | Run API call that gets list of machine group definitions - +MachineGroups | Run API call that gets list of machine group definitions \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/supported-response-apis-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/supported-response-apis-windows-defender-advanced-threat-protection.md index fe228f3acc..55dd5a1cfc 100644 --- a/windows/security/threat-protection/windows-defender-atp/supported-response-apis-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/supported-response-apis-windows-defender-advanced-threat-protection.md @@ -17,7 +17,7 @@ ms.date: 12/01/2017 # Supported Windows Defender ATP query APIs **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-supported-response-apis-abovefoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection.md index 321085bc62..4aab3cf41a 100644 --- a/windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection.md @@ -16,7 +16,7 @@ ms.date: 09/03/2018 # Threat analytics for Spectre and Meltdown **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) The **Threat analytics** dashboard provides insight on how emerging threats affect your organization. It provides information that's specific for your organization. diff --git a/windows/security/threat-protection/windows-defender-atp/threat-analytics.md b/windows/security/threat-protection/windows-defender-atp/threat-analytics.md index 3bde0d0f86..ba29920b5d 100644 --- a/windows/security/threat-protection/windows-defender-atp/threat-analytics.md +++ b/windows/security/threat-protection/windows-defender-atp/threat-analytics.md @@ -11,14 +11,13 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 09/03/2018 +ms.date: 10/29/2018 --- # Threat analytics **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) -[!include[Prereleaseinformation](prerelease.md)] Cyberthreats are emerging more frequently and prevalently. It is critical for organizations to be able to quickly assess their security posture, including impact, and organizational resilience in the context of specific emerging threats. diff --git a/windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md index 3f5a0597bd..155f23aef6 100644 --- a/windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md @@ -17,7 +17,7 @@ ms.date: 09/03/2018 # Understand threat intelligence concepts **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/threat-protection-integration.md b/windows/security/threat-protection/windows-defender-atp/threat-protection-integration.md index 4c9c126a2d..e0301cebc1 100644 --- a/windows/security/threat-protection/windows-defender-atp/threat-protection-integration.md +++ b/windows/security/threat-protection/windows-defender-atp/threat-protection-integration.md @@ -18,7 +18,7 @@ ms.date: 10/12/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Windows Defender ATP is part of the Microsoft Threat Protection solution that helps implement end-to-end security across possible attack surfaces in the modern workplace. diff --git a/windows/security/threat-protection/windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..d8693cd298 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,45 @@ +--- +title: TiIndicator resource type +description: TiIndicator entity description. +keywords: apis, supported apis, get, TiIndicator, recent +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# TI(threat intelligence) Indicator resource type + +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + +Method|Return Type |Description +:---|:---|:--- +[List TI Indicators](get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md) | [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) Collection | List [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entities. +[Get TI Indicator by ID](get-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md) | [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) | Gets the requested [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. +[Submit TI Indicator](post-ti-indicator-windows-defender-advanced-threat-protection-new.md) | [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) | Submits [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. +[Delete TI Indicator](delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md) | No Content | Deletes [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. + + +# Properties +Property | Type | Description +:---|:---|:--- +indicator | String | Identity of the [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. +indicatorType | Enum | Type of the indicator. Possible values are: "FileSha1", "FileSha256", "IpAddress", "DomainName" and "Url" +title | String | Ti indicator alert title. +creationTimeDateTimeUtc | DateTimeOffset | The date and time when the indicator was created. +createdBy | String | Identity of the user/application that submitted the indicator. +expirationTime | DateTimeOffset | The expiration time of the indicator +action | Enum | The action that will be taken if the indicator will be discovered in the organization. Possible values are: "Alert", "AlertAndBlock", and "Allowed" +severity | Enum | The severity of the indicator. possible values are: "Informational", "Low", "Medium" and "High" +description | String | Description of the indicator. +recommendedActions | String | TI indicator alert recommended actions. + + diff --git a/windows/security/threat-protection/windows-defender-atp/time-settings-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/time-settings-windows-defender-advanced-threat-protection.md index 4dd9223f2d..e513ef6ba4 100644 --- a/windows/security/threat-protection/windows-defender-atp/time-settings-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/time-settings-windows-defender-advanced-threat-protection.md @@ -17,7 +17,7 @@ ms.date: 02/13/2018 # Windows Defender Security Center time zone settings **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md index 813babce81..193e3acb5f 100644 --- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md @@ -19,7 +19,7 @@ ms.date: 06/25/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md index dce7b35436..01a0beefda 100644 --- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md @@ -19,7 +19,7 @@ ms.date: 08/01/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troublshootonboarding-abovefoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md index 7f38e2545a..3a34547911 100644 --- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md @@ -17,7 +17,7 @@ ms.date: 09/07/2018 # Troubleshoot Windows Defender Advanced Threat Protection onboarding issues **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) - Windows Server 2012 R2 - Windows Server 2016 diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md index 2d4fc88758..8c7c0f5e5f 100644 --- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md @@ -11,13 +11,13 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 02/13/2018 +ms.date: 11/08/2018 --- # Troubleshoot SIEM tool integration issues **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) @@ -67,6 +67,12 @@ If you encounter an error when trying to get a refresh token when using the thre 6. Click **Save**. +## Error while enabling the SIEM connector application +If you encounter an error when trying to enable the SIEM connector application, check the pop-up blocker settings of your browser. It might be blocking the new window being opened when you enable the capability. + + + + >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troubleshootsiem-belowfoldlink) ## Related topics diff --git a/windows/security/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md index c0abbe6cdd..ad824d3ab2 100644 --- a/windows/security/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md @@ -14,13 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Unblock file API +# Unblock file API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecatedinformation](deprecate.md)] Allow a file to be executed in the organization, using Windows Defender Antivirus. diff --git a/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..0b654aa63c --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,105 @@ +--- +title: Release machine from isolation API +description: Use this API to create calls related to release a machine from isolation. +keywords: apis, graph api, supported apis, remove machine from isolation +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Release machine from isolation API +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + +Undo isolation of a machine. + +[!include[Machine actions note](machineactionsnote.md)] + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.Isolate | 'Isolate machine' +Delegated (work or school account) | Machine.Isolate | 'Isolate machine' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +POST https://api.securitycenter.windows.com/api/machines/{id}/unisolate +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. +Content-Type | string | application/json. **Required**. + + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +Comment | String | Comment to associate with the action. **Required**. + +## Response +If successful, this method returns 201 - Created response code and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) in the response body. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/unisolate +Content-type: application/json +{ + "Comment": "Unisolate machine since it was clean and validated" +} + +``` +**Response** + +Here is an example of the response. + +>[!NOTE] +>The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call. + +``` +HTTP/1.1 201 Created +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity", + "id": "09a0f91e-a2eb-409d-af33-5577fe9bd558", + "type": "Unisolate", + "requestor": "Analyst@contoso.com ", + "requestorComment": "Unisolate machine since it was clean and validated ", + "status": "InProgress", + "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "creationDateTimeUtc": "2018-12-04T12:13:15.0104931Z", + "lastUpdateTimeUtc": "2018-12-04T12:13:15.0104931Z", + "relatedFileInfo": null +} + +``` + +To isolate a machine, see [Isolate machine](isolate-machine-windows-defender-advanced-threat-protection-new.md). + diff --git a/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md index f7b0fe34b5..8898ab6189 100644 --- a/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md @@ -14,13 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Release machine from isolation API +# Release machine from isolation API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecatedinformation](deprecate.md)] Undo isolation of a machine. diff --git a/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..8ca7430854 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,100 @@ +--- +title: Remove app restriction API +description: Use this API to create calls related to removing a restriction from applications from executing. +keywords: apis, graph api, supported apis, remove machine from isolation +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Remove app restriction API +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + +Enable execution of any application on the machine. + +[!include[Machine actions note](machineactionsnote.md)] + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.RestrictExecution | 'Restrict code execution' +Delegated (work or school account) | Machine.RestrictExecution | 'Restrict code execution' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +POST https://api.securitycenter.windows.com/api/machines/{id}/unrestrictCodeExecution +``` + +## Request headers +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. +Content-Type | string | application/json. **Required**. + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +Comment | String | Comment to associate with the action. **Required**. + +## Response +If successful, this method returns 201 - Created response code and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) in the response body. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/unrestrictCodeExecution +Content-type: application/json +{ + "Comment": "Unrestrict code execution since machine was cleaned and validated" +} + +``` + +**Response** + +Here is an example of the response. + +``` +HTTP/1.1 201 Created +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity", + "id": "44cffc15-0e3d-4cbf-96aa-bf76f9b27f5e", + "type": "UnrestrictCodeExecution", + "requestor": "Analyst@contoso.com", + "requestorComment": "Unrestrict code execution since machine was cleaned and validated ", + "status": "InProgress", + "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "creationDateTimeUtc": "2018-12-04T12:15:40.6052029Z", + "lastUpdateTimeUtc": "2018-12-04T12:15:40.6052029Z", + "relatedFileInfo": null +} + +``` + +To restrict code execution on a machine, see [Restrict app execution](restrict-code-execution-windows-defender-advanced-threat-protection-new.md). \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md index 393d41412f..e011fa5800 100644 --- a/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md @@ -14,13 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Remove app restriction API +# Remove app restriction API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecatedinformation](deprecate.md)] Unrestrict execution of set of predefined applications. diff --git a/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..1ce73605cf --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,108 @@ +--- +title: Get alert information by ID API +description: Retrieves an alert by its ID. +keywords: apis, graph api, supported apis, get, alert, information, id +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Update alert +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + +[!include[Prereleaseinformation](prerelease.md)] +Update the properties of an alert entity. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Alerts.ReadWrite.All | 'Read and write all alerts' +Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'Alerts investigation' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +PATCH /api/alerts/{id} +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. +Content-Type | String | application/json. **Required**. + + +## Request body +In the request body, supply the values for the relevant fields that should be updated.Existing properties that are not included in the request body will maintain their previous values or be recalculated based on changes to other property values. For best performance you shouldn't include existing values that haven't change. + +Property | Type | Description +:---|:---|:--- +status | String | Specifies the current status of the alert. The property values are: 'New', 'InProgress' and 'Resolved'. +assignedTo | String | Owner of the alert +classification | String | Specifies the specification of the alert. The property values are: 'Unknown', 'FalsePositive', 'TruePositive'. +determination | String | Specifies the determination of the alert. The property values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other' + + +## Response +If successful, this method returns 200 OK, and the [alert](alerts-windows-defender-advanced-threat-protection-new.md) entity in the response body with the updated properties. If alert with the specified id was not found - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +PATCH https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280442 +Content-Type: application/json +{ + "assignedTo": "Our designated secop" +} +``` + +**Response** + +Here is an example of the response. + +``` +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts/$entity", + "id": "636688558380765161_2136280442", + "severity": "Medium", + "status": "InProgress", + "description": "An anomalous memory operation appears to be tampering with a process associated with the Windows Defender EDR sensor.", + "recommendedAction": "A. Validate the alert.\n1. Examine the process involved in the memory operation to determine whether the process and the observed activities are normal. \n2. Check for other suspicious activities in the machine timeline.\n3. Locate unfamiliar processes in the process tree. Check files for prevalence, their locations, and digital signatures.\n4. Submit relevant files for deep analysis and review file behaviors. \n5. Identify unusual system activity with system owners. \n\nB. Scope the incident. Find related machines, network addresses, and files in the incident graph. \n\nC. Contain and mitigate the breach. Stop suspicious processes, isolate affected machines, decommission compromised accounts or reset passwords, block IP addresses and URLs, and install security updates.\n\nD. Contact your incident response team, or contact Microsoft support for investigation and remediation services.", + "alertCreationTime": "2018-08-07T10:18:04.2665329Z", + "category": "Installation", + "title": "Possible sensor tampering in memory", + "threatFamilyName": null, + "detectionSource": "WindowsDefenderAtp", + "classification": null, + "determination": null, + "assignedTo": "Our designated secop", + "resolvedTime": null, + "lastEventTime": "2018-08-07T10:14:35.470671Z", + "firstEventTime": "2018-08-07T10:14:35.470671Z", + "actorName": null, + "machineId": "a2250e1cd215af1ea2818ef8d01a564f67542857" +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/use-apis.md b/windows/security/threat-protection/windows-defender-atp/use-apis.md new file mode 100644 index 0000000000..0232e57b31 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/use-apis.md @@ -0,0 +1,26 @@ +--- +title: Use the Windows Defender Advanced Threat Protection APIs +description: Use the exposed data and actions using a set of progammatic APIs that are part of the Microsoft Intelligence Security Graph. +keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 10/23/2017 +--- + +# Use the Windows Defender ATP exposed APIs + +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +## In this section +Topic | Description +:---|:--- +Create your app | Learn how to create an application to get programmatical access to Windows Defender ATP on behalf of a user or without a user. +Supported Windows Defender ATP APIs | Learn more about the individual supported entities where you can run API calls to and details such as HTTP request values, request headers and expected responses. +How to use APIs - Samples | Learn how to use Advanced hunting APIs and multiple APIs such as PowerShell. diff --git a/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md index 9a12d912f6..261e038a76 100644 --- a/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md @@ -17,7 +17,7 @@ ms.date: 04/24/2018 # Use the threat intelligence API to create custom alerts **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md index f41440d094..b61baaafb2 100644 --- a/windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md @@ -18,7 +18,7 @@ ms.date: 03/12/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-usewdatp-abovefoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md index 829e256921..505e031a5a 100644 --- a/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md @@ -17,7 +17,7 @@ ms.date: 09/03/2018 # Create and manage roles for role-based access control **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-roles-abovefoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/user-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/user-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..509ded9db9 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/user-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,23 @@ +--- +title: File resource type +description: Retrieves top recent alerts. +keywords: apis, graph api, supported apis, get, alerts, recent +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# User resource type + +Method|Return Type |Description +:---|:---|:--- +[List User related alerts](get-user-related-alerts-windows-defender-advanced-threat-protection-new.md) | [alert](alerts-windows-defender-advanced-threat-protection-new.md) collection | List all the alerts that are associated with a [user](user-windows-defender-advanced-threat-protection-new.md). +[List User related machines](get-user-related-machines-windows-defender-advanced-threat-protection-new.md) | [machine](machine-windows-defender-advanced-threat-protection-new.md) collection | List all the machines that were logged on by a [user](user-windows-defender-advanced-threat-protection-new.md). + + diff --git a/windows/security/threat-protection/windows-defender-atp/view-incidents-queue.md b/windows/security/threat-protection/windows-defender-atp/view-incidents-queue.md index d905eb0d2b..7ecf9f1fda 100644 --- a/windows/security/threat-protection/windows-defender-atp/view-incidents-queue.md +++ b/windows/security/threat-protection/windows-defender-atp/view-incidents-queue.md @@ -16,7 +16,7 @@ ms.date: 10/08/2018 # View and organize the Windows Defender Advanced Threat Protection Incidents queue **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) [!include[Prerelease information](prerelease.md)] diff --git a/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md index abe99e8194..743cb4b2da 100644 --- a/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 10/26/2018 +ms.date: 11/07/2018 --- # Windows Defender Advanced Threat Protection @@ -22,7 +22,7 @@ ms.date: 10/26/2018 Windows Defender Advanced Threat Protection is a platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. -indows Defender ATP uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service: +Windows Defender ATP uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service: - **Endpoint behavioral sensors**: Embedded in Windows 10, these sensors collect and process behavioral signals from the operating system and sends this sensor data to your private, isolated, cloud instance of Windows Defender ATP. @@ -76,8 +76,8 @@ To further reinforce the security perimeter of your network, Windows Defender AT -**[Endpoint protection and response](overview-endpoint-detection-response.md)**
      -Endpoint protection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars. +**[Endpoint detection and response](overview-endpoint-detection-response.md)**
      +Endpoint detection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index b3f2bb7cac..360b2a59c8 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -18,7 +18,7 @@ ms.date: 10/15/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. This feature is part of Windows Defender Advanced Threat Protection and provides: @@ -53,7 +53,7 @@ Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d3 Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 -Block only Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869 +Block Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869 Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c The rules apply to the following Office apps: @@ -112,8 +112,6 @@ Malware and other threats can attempt to obfuscate or hide their malicious code This rule prevents scripts that appear to be obfuscated from running. -It uses the [AntiMalwareScanInterface (AMSI)](https://msdn.microsoft.com/en-us/library/windows/desktop/dn889587(v=vs.85).aspx) to determine if a script is potentially obfuscated, and then blocks such a script, or blocks scripts when an attempt is made to access them. - ### Rule: Block Win32 API calls from Office macro Malware can use macro code in Office files to import and load Win32 DLLs, which can then be used to make API calls to allow further infection throughout the system. @@ -160,7 +158,7 @@ With this rule, admins can prevent unsigned or untrusted executable files from r - Executable files (such as .exe, .dll, or .scr) - Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) -### Rule: Block only Office communication applications from creating child processes +### Rule: Block Office communication applications from creating child processes Office communication apps will not be allowed to create child processes. This includes Outlook. @@ -185,9 +183,7 @@ You can review the Windows event log to see events that are created when an atta 2. Type **Event viewer** in the Start menu to open the Windows Event Viewer. 3. On the left panel, under **Actions**, click **Import custom view...** - - ![Animation showing the import custom view on the Event viewer window](images/events-import.gif) - + 4. Navigate to the Exploit Guard Evaluation Package, and select the file *asr-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md). 5. Click **OK**. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md index 57927f648c..0131be7167 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md @@ -19,7 +19,7 @@ ms.date: 09/18/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) You can enable attack surface reduction rules, eploit protection, network protection, and controlled folder access in audit mode. This lets you see a record of what *would* have happened if you had enabled the feature. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md b/windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md index 83348307d8..9448ed601f 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md @@ -18,7 +18,7 @@ ms.date: 08/08/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) This topic describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you may encounter when using attack surface reduction rules, network protection, exploit protection, and controlled folder access. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md index fb5b4091c5..21c0acfc51 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md @@ -18,7 +18,7 @@ ms.date: 10/02/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. Controlled folder access works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). @@ -38,6 +38,12 @@ You can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate ho Controlled folder access requires enabling [Windows Defender Antivirus real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md). +## Review controlled folder access events in the Windows Defender ATP Security Center + +Windows Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). + +You can query Windows Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how controlled folder access settings would affect your environment if they were enabled. + ## Review controlled folder access events in Windows Event Viewer You can review the Windows event log to see events that are created when controlled folder access blocks (or audits) an app: @@ -47,9 +53,7 @@ You can review the Windows event log to see events that are created when control 2. Type **Event viewer** in the Start menu to open the Windows Event Viewer. 3. On the left panel, under **Actions**, click **Import custom view...**. - - ![Animation showing the import custom view on the Event viewer window](images/events-import.gif) - + 4. Navigate to where you extracted *cfa-events.xml* and select it. Alternatively, [copy the XML directly](event-views-exploit-guard.md). 4. Click **OK**. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md index 75725299ff..8bbe633287 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md @@ -18,7 +18,7 @@ ms.date: 10/17/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients. @@ -58,7 +58,7 @@ Block JavaScript or VBScript from launching downloaded executable content | [!in Block executable content from email client and webmail | [!include[Check mark no](images/svg/check-no.svg)] | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 Block executable files from running unless they meet a prevalence, age, or trusted list criteria | [!include[Check mark yes](images/svg/check-yes.svg)] | 01443614-cd74-433a-b99e-2ecdc07bfc25 Use advanced protection against ransomware | [!include[Check mark yes](images/svg/check-yes.svg)] | c1db55ab-c21a-4637-bb3f-a12568109d35 -Block credential stealing from the Windows local security authority subsystem (lsass.exe) | [!include[Check mark no](images/svg/check-no.svg)] | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 +Block credential stealing from the Windows local security authority subsystem (lsass.exe) | [!include[Check mark yes](images/svg/check-yes.svg)] | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 Block process creations originating from PSExec and WMI commands | [!include[Check mark yes](images/svg/check-yes.svg)] | d1e49aac-8f56-4280-b9ba-993a6d77406c Block untrusted and unsigned processes that run from USB | [!include[Check mark yes](images/svg/check-yes.svg)] | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 Block Office communication applications from creating child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | 26190899-1602-49e8-8b27-eb1d0a1ce869 diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md index 38643b362f..5f501170df 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md @@ -18,7 +18,7 @@ ms.date: 10/02/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md index 57289d1fe5..7591a39db0 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md @@ -18,7 +18,7 @@ ms.date: 10/02/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Exploit protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md index becce4ead2..3b65d090e5 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md @@ -18,7 +18,7 @@ ms.date: 08/08/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) >[!IMPORTANT] >If you are currently using EMET, you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with exploit protection in Windows Defender ATP. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md index 86e12c0578..675f449f0b 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md @@ -18,7 +18,7 @@ ms.date: 10/17/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md index 1d831ea2a9..79fb8541bf 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md @@ -18,7 +18,7 @@ ms.date: 10/02/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md index 91f8b6b1bb..70500e0307 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md @@ -18,7 +18,7 @@ ms.date: 08/08/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Exploit protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md index af47213614..d147c77d43 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md @@ -18,7 +18,7 @@ ms.date: 05/30/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Network protection helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md index 2c5e663e91..325b6119b3 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md @@ -6,14 +6,14 @@ ms.mktglfcycl: deploy ms.localizationpriority: medium ms.author: justinha author: brianlic-msft -ms.date: 08/08/2018 +ms.date: 11/15/2018 --- # Enable virtualization-based protection of code integrity **Applies to** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) This topic covers different ways to enable Hypervisor-protected code integrity (HVCI) on Windows 10. Some applications, including device drivers, may be incompatible with HVCI. @@ -42,7 +42,7 @@ Enabling in Intune requires using the Code Integrity node in the [AppLocker CSP] 1. Use Group Policy Editor (gpedit.msc) to either edit an existing GPO or create a new one. 2. Navigate to **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard**. 3. Double-click **Turn on Virtualization Based Security**. -4. Click **Enabled** and under **Virtualization Based Protection of Code Integrity**, select **Enabled with UEFI lock** to ensure HVCI cannot be enabled remotely or select **Enabled without UEFI lock**. +4. Click **Enabled** and under **Virtualization Based Protection of Code Integrity**, select **Enabled with UEFI lock** to ensure HVCI cannot be disabled remotely or select **Enabled without UEFI lock**. ![Enable HVCI using Group Policy](images\enable-hvci-gp.png) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md index b0eb1162cb..a143ed81a3 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md @@ -18,7 +18,7 @@ ms.date: 10/02/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md index 9fa8ab6d2b..f30804cbd0 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md @@ -18,7 +18,7 @@ ms.date: 10/02/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) [Controlled folder access](controlled-folders-exploit-guard.md) is a feature that helps protect your documents and files from modification by suspicious or malicious apps. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md index 412888c242..1d7efe7b59 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md @@ -18,7 +18,7 @@ ms.date: 05/30/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Exploit protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md index ee1e9948c7..995cbaeb50 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md @@ -18,7 +18,7 @@ ms.date: 08/09/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Network protection helps prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md index 1bf42dc66c..5f32c57193 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md @@ -19,7 +19,7 @@ ms.date: 08/08/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) You can review attack surface reduction events in Event Viewer. This is useful so you can monitor what rules or settings are working, and determine if any settings are too "noisy" or impacting your day to day workflow. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md index 729d6cbc55..7fb3984ab2 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md @@ -18,7 +18,7 @@ ms.date: 08/09/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Exploit protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md b/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md index dde4c17bfa..99eb36540f 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md @@ -18,7 +18,7 @@ ms.date: 04/30/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Exploit protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md b/windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md index 03dd9e1ec9..11ff56a123 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md @@ -18,7 +18,7 @@ ms.date: 08/09/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Memory integrity is a powerful system mitigation that leverages hardware virtualization and the Windows Hyper-V hypervisor to protect Windows kernel-mode processes against the injection and execution of malicious or unverified code. Code integrity validation is performed in a secure environment that is resistant to attack from malicious software, and page permissions for kernel mode are set and maintained by the Hyper-V hypervisor. Memory integrity helps block many types of malware from running on computers that run Windows 10 and Windows Server 2016. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md index 934d1154de..b1e742ac1b 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md @@ -18,7 +18,7 @@ ms.date: 08/09/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Network protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. @@ -41,6 +41,11 @@ Windows 10 version | Windows Defender Antivirus - | - Windows 10 version 1709 or later | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) must be enabled +## Review network protection events in the Windows Defender ATP Security Center + +Windows Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). + +You can query Windows Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how network protection settings would affect your environment if they were enabled. ## Review network protection events in Windows Event Viewer @@ -51,9 +56,7 @@ You can review the Windows event log to see events that are created when network 1. Type **Event viewer** in the Start menu to open the Windows Event Viewer. 2. On the left panel, under **Actions**, click **Import custom view...** - - ![Antimation of the import custom view option](images/events-import.gif) - + 3. Navigate to the Exploit Guard Evaluation Package, and select the file *np-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md). 4. Click **OK**. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md index 158a8a98ac..640fe4cc29 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md @@ -13,7 +13,7 @@ ms.date: 10/20/2017 **Applies to** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Computers must meet certain hardware, firmware, and software requirements in order to take adavantage of all of the virtualization-based security (VBS) features in [Windows Defender Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md). Computers lacking these requirements can still be protected by Windows Defender Application Control (WDAC) policies—the difference is that those computers will not be as hardened against certain threats. @@ -33,9 +33,9 @@ The following tables provide more information about the hardware, firmware, and |--------------------------------|----------------------------------------------------|-------------------| | Hardware: **64-bit CPU** | A 64-bit computer is required for the Windows hypervisor to provide VBS. | | | Hardware: **CPU virtualization extensions**,
      plus **extended page tables** | These hardware features are required for VBS:
      One of the following virtualization extensions:
      • VT-x (Intel) or
      • AMD-V
      And:
      • Extended page tables, also called Second Level Address Translation (SLAT). | VBS provides isolation of the secure kernel from the normal operating system. Vulnerabilities and zero-days in the normal operating system cannot be exploited because of this isolation. | -| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](https://docs.microsoft.com/windows-hardware/design/compatibility/systems#systemfundamentalsfirmwareuefisecureboot) | UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. | -| Firmware: **Secure firmware update process** | UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](https://docs.microsoft.com/windows-hardware/design/compatibility/systems#systemfundamentalsfirmwareuefisecureboot) | UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. | -| Software: **HVCI compatible drivers** | See the Windows Hardware Compatibility Program requirements under [Filter.Driver.DeviceGuard.DriverCompatibility](https://docs.microsoft.com/windows-hardware/design/compatibility/filter#filterdriverdeviceguarddrivercompatibility).| [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode. | +| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | See the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/en-us/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. | +| Firmware: **Secure firmware update process** | UEFI firmware must support secure firmware update found under the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/en-us/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. | +| Software: **HVCI compatible drivers** | See the Filter.Driver.DeviceGuard.DriverCompatibility requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Filter driver download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/en-us/windows-hardware/design/compatibility/whcp-specifications-policies). | [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode. | | Software: Qualified **Windows operating system** | Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise

      Important:
      Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. Only virtualization-based protection of code integrity is supported in this configuration.

      | Support for VBS and for management features that simplify configuration of Windows Defender Device Guard. | > **Important**  The following tables list additional qualifications for improved security. You can use Windows Defender Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting these additional qualifications to significantly strengthen the level of security that Windows Defender Device Guard can provide. @@ -58,7 +58,7 @@ The following tables describe additional hardware and firmware qualifications, a | Protections for Improved Security | Description | Security benefits | |---------------------------------------------|----------------------------------------------------|-----| -| Firmware: **Hardware Rooted Trust Platform Secure Boot** | • Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://docs.microsoft.com/windows-hardware/design/compatibility/systems#systemfundamentalsfirmwarecsuefisecurebootconnectedstandby)
      • The Hardware Security Test Interface (HSTI) 1.1.a must be implemented. See [Hardware Security Testability Specification](https://docs.microsoft.com/windows-hardware/test/hlk/testref/hardware-security-testability-specification). | • Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
      • HSTI 1.1.a provides additional security assurance for correctly secured silicon and platform. | +| Firmware: **Hardware Rooted Trust Platform Secure Boot** | • Boot Integrity (Platform Secure Boot) must be supported. See the System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/en-us/windows-hardware/design/compatibility/whcp-specifications-policies).
      • The Hardware Security Test Interface (HSTI) 1.1.a must be implemented. See [Hardware Security Testability Specification](https://docs.microsoft.com/windows-hardware/test/hlk/testref/hardware-security-testability-specification). | • Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
      • HSTI 1.1.a provides additional security assurance for correctly secured silicon and platform. | | Firmware: **Firmware Update through Windows Update** | Firmware must support field updates through Windows Update and UEFI encapsulation update. | Helps ensure that firmware updates are fast, secure, and reliable. | | Firmware: **Securing Boot Configuration and Management** | • Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.
      • Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.| • Enterprises can choose to allow proprietary EFI drivers/applications to run.
      • Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. | diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md index 847b1fa492..5711270ae7 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md @@ -18,7 +18,7 @@ ms.date: 09/18/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) When you use [attack surface reduction rules](attack-surface-reduction-exploit-guard.md) you may encounter issues, such as: diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md index 31f4604299..ede76cf20a 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md @@ -18,7 +18,7 @@ ms.date: 08/09/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) When you create a set of exploit protection mitigations (known as a configuration), you might find that the configuration export and import process does not remove all unwanted mitigations. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md index f2f8024158..b091e01721 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md @@ -18,7 +18,7 @@ ms.date: 08/09/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) - IT administrators diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md index cfea6fdd1f..bdf4311dfe 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md @@ -18,7 +18,7 @@ ms.date: 08/09/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Windows Defender Exploit Guard (Windows Defender EG) is a new set of host intrusion prevention capabilities for Windows 10, allowing you to manage and reduce the attack surface of apps used by your employees. diff --git a/windows/whats-new/whats-new-windows-10-version-1809.md b/windows/whats-new/whats-new-windows-10-version-1809.md index 0080a6270c..64fcbb7821 100644 --- a/windows/whats-new/whats-new-windows-10-version-1809.md +++ b/windows/whats-new/whats-new-windows-10-version-1809.md @@ -72,7 +72,8 @@ Microsoft Edge kiosk mode running in single-app assigned access has two kiosk ty Microsoft Edge kiosk mode running in multi-app assigned access has two kiosk types. -**Note** the following Microsoft Edge kiosk mode types cannot be setup using the new simplified assigned access configuration wizard in Windows 10 Settings. +>[!NOTE] +>The following Microsoft Edge kiosk mode types cannot be setup using the new simplified assigned access configuration wizard in Windows 10 Settings. 1.__Public browsing__ supports multi-tab browsing and runs InPrivate mode with minimal features available. In this configuration, Microsoft Edge can be one of many apps available. Users can close and open multiple InPrivate mode windows. @@ -197,7 +198,6 @@ Threat Analytics is a set of interactive reports published by the Windows Defend - [Custom detection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-custom-detections)
      With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules. - - [Managed security service provider (MSSP) support](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection)
      Windows Defender ATP adds support for this scenario by providing MSSP integration. The integration will allow MSSPs to take the following actions: @@ -209,11 +209,10 @@ Windows Defender ATP integrates with Azure Security Center to provide a comprehe - [Integration with Microsoft Cloud App Security](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration)
      Microsoft Cloud App Security leverages Windows Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Windows Defender ATP monitored machines. - - [Onboard Windows Server 2019](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#windows-server-version-1803-and-windows-server-2019)
      Windows Defender ATP now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines. -- [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/onboard-downlevel-windows-defender-advanced-threat-protection)
      +- [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection)
      Onboard supported versions of Windows machines so that they can send sensor data to the Windows Defender ATP sensor ## Faster sign-in to a Windows 10 shared pc diff --git a/windows/yw45mjxz.3sx.json b/windows/yw45mjxz.3sx.json deleted file mode 100644 index 4b4ae6ca01..0000000000 Binary files a/windows/yw45mjxz.3sx.json and /dev/null differ