To learn more about HoloLens 2 for developers, check out the mixed reality developer documentation.
-
To buy HoloLens, check out HoloLens pricing and sales on microsoft.com/HoloLens.
+ + +-This version of Surface Diagnostic Toolkit for Business adds support for the following: --Surface Pro 7 --Surface Laptop 3 +This version of Surface Diagnostic Toolkit for Business adds support for the following: + +- Surface Pro 7 +- Surface Laptop 3 ### Version 2.42.139.0 *Release date: September 24, 2019*
diff --git a/devices/surface/surface-diagnostic-toolkit-command-line.md b/devices/surface/surface-diagnostic-toolkit-command-line.md index 7359067813..f1e3460df4 100644 --- a/devices/surface/surface-diagnostic-toolkit-command-line.md +++ b/devices/surface/surface-diagnostic-toolkit-command-line.md @@ -16,7 +16,7 @@ ms.audience: itpro # Run Surface Diagnostic Toolkit for Business using commands -Running the Surface Diagnostic Toolkit (SDT) at a command prompt requires downloading the STD app console. After it's installed, you can run SDT at a command prompt via the Windows command console (cmd.exe) or using Windows PowerShell, including PowerShell Integrated Scripting Environment (ISE), which provides support for autocompletion of commands, copy/paste, and other features. +Running the Surface Diagnostic Toolkit (SDT) at a command prompt requires downloading the STD app console. After it's installed, you can run SDT at a command prompt via the Windows command console (cmd.exe) or using Windows PowerShell, including PowerShell Integrated Scripting Environment (ISE), which provides support for autocompletion of commands, copy/paste, and other features. For a list of supported Surface devices in SDT, refer to [Deploy Surface Diagnostic Toolkit for Business](surface-diagnostic-toolkit-business.md). >[!NOTE] >To run SDT using commands, you must be signed in to the Administrator account or signed in to an account that is a member of the Administrator group on your Surface device. diff --git a/devices/surface/surface-diagnostic-toolkit-desktop-mode.md b/devices/surface/surface-diagnostic-toolkit-desktop-mode.md index 4d8b505670..738ec1ecae 100644 --- a/devices/surface/surface-diagnostic-toolkit-desktop-mode.md +++ b/devices/surface/surface-diagnostic-toolkit-desktop-mode.md @@ -7,36 +7,34 @@ ms.sitesec: library author: dansimp ms.author: dansimp ms.topic: article -ms.date: 11/15/2018 +ms.date: 10/31/2019 ms.reviewer: hachidan manager: dansimp -ms.localizationpriority: normal +ms.localizationpriority: medium ms.audience: itpro --- # Use Surface Diagnostic Toolkit for Business in desktop mode -This topic explains how to use the Surface Diagnostic Toolkit (SDT) to help users in your organization run the tool to identify and diagnose issues with the Surface device. Successfully running SDT can quickly determine if a reported issue is caused by failed hardware or user error. +This topic explains how to use the Surface Diagnostic Toolkit (SDT) to help users in your organization run the tool to identify and diagnose issues with the Surface device. Successfully running SDT can quickly determine if a reported issue is caused by failed hardware or user error. For a list of supported Surface devices in SDT, refer to [Deploy Surface Diagnostic Toolkit for Business](surface-diagnostic-toolkit-business.md). + 1. Direct the user to install [the SDT package](surface-diagnostic-toolkit-business.md#create-custom-sdt) from a software distribution point or network share. After it is installed, you’re ready to guide the user through a series of tests. 2. Begin at the home page, which allows users to enter a description of the issue, and click **Continue**, as shown in figure 1.  - - *Figure 1. SDT in desktop mode* +*Figure 1. SDT in desktop mode* 3. When SDT indicates the device has the latest updates, click **Continue** to advance to the catalog of available tests, as shown in figure 2.  - - *Figure 2. Select from SDT options* +*Figure 2. Select from SDT options* 4. You can choose to run all the diagnostic tests. Or, if you already suspect a particular issue such as a faulty display or a power supply problem, click **Select** to choose from the available tests and click **Run Selected**, as shown in figure 3. See the following table for details of each test.  - - *Figure 3. Select hardware tests* +*Figure 3. Select hardware tests* Hardware test | Description --- | --- @@ -55,6 +53,7 @@ This topic explains how to use the Surface Diagnostic Toolkit (SDT) to help user + ## Running multiple hardware tests to troubleshoot issues SDT is designed as an interactive tool that runs a series of tests. For each test, SDT provides instructions summarizing the nature of the test and what users should expect or look for in order for the test to be successful. For example, to diagnose if the display brightness is working properly, SDT starts at zero and increases the brightness to 100 percent, asking users to confirm – by answering **Yes** or **No** -- that brightness is functioning as expected, as shown in figure 4. @@ -62,7 +61,6 @@ SDT is designed as an interactive tool that runs a series of tests. For each tes For each test, if functionality does not work as expected and the user clicks **No**, SDT generates a report of the possible causes and ways to troubleshoot it.  - *Figure 4. Running hardware diagnostics* 1. If the brightness successfully adjusts from 0-100 percent as expected, direct the user to click **Yes** and then click **Continue**. @@ -75,24 +73,18 @@ For each test, if functionality does not work as expected and the user clicks ** SDT enables you to diagnose and repair applications that may be causing issues, as shown in figure 5.  - *Figure 5. Running repairs* - - - - + ### Generating logs for analyzing issues SDT provides extensive log-enabled diagnosis support across applications, drivers, hardware, and operating system issues, as shown in figure 6.  - *Figure 6. Generating logs* - - + ### Generating detailed report comparing device vs. optimal configuration Based on the logs, SDT generates a report for software- and firmware-based issues that you can save to a preferred location. diff --git a/devices/surface/surface-diagnostic-toolkit-for-business-intro.md b/devices/surface/surface-diagnostic-toolkit-for-business-intro.md index 35c9b5f49f..df3918d715 100644 --- a/devices/surface/surface-diagnostic-toolkit-for-business-intro.md +++ b/devices/surface/surface-diagnostic-toolkit-for-business-intro.md @@ -10,7 +10,7 @@ ms.topic: article ms.date: 06/11/2019 ms.reviewer: cottmca manager: dansimp -ms.localizationpriority: normal +ms.localizationpriority: medium ms.audience: itpro --- diff --git a/devices/surface/surface-dock-firmware-update.md b/devices/surface/surface-dock-firmware-update.md index ffd159f4a1..6916589feb 100644 --- a/devices/surface/surface-dock-firmware-update.md +++ b/devices/surface/surface-dock-firmware-update.md @@ -8,7 +8,7 @@ ms.sitesec: library author: dansimp ms.author: dansimp ms.topic: article -ms.date: 09/18/2019 +ms.date: 10/09/2019 ms.reviewer: scottmca manager: dansimp ms.audience: itpro diff --git a/devices/surface/surface-enterprise-management-mode.md b/devices/surface/surface-enterprise-management-mode.md index 32c1f38406..de1879bcba 100644 --- a/devices/surface/surface-enterprise-management-mode.md +++ b/devices/surface/surface-enterprise-management-mode.md @@ -9,9 +9,11 @@ ms.sitesec: library author: dansimp ms.author: dansimp ms.topic: article -ms.date: 01/06/2017 -ms.reviewer: +ms.date: 10/31/2019 +ms.reviewer: scottmca manager: dansimp +ms.localizationpriority: medium +ms.audience: itpro --- # Microsoft Surface Enterprise Management Mode @@ -19,12 +21,14 @@ manager: dansimp Microsoft Surface Enterprise Management Mode (SEMM) is a feature of Surface devices with Surface UEFI that allows you to secure and manage firmware settings within your organization. With SEMM, IT professionals can prepare configurations of UEFI settings and install them on a Surface device. In addition to the ability to configure UEFI settings, SEMM also uses a certificate to protect the configuration from unauthorized tampering or removal. >[!NOTE] ->SEMM is only available on devices with Surface UEFI firmware such as Surface Pro 4 and later, Surface Go, Surface Laptop, Surface Book, and Surface Studio. For more information about Surface UEFI, see [Manage Surface UEFI Settings](https://technet.microsoft.com/itpro/surface/manage-surface-uefi-settings). +>SEMM is only available on devices with Surface UEFI firmware. + When Surface devices are configured by SEMM and secured with the SEMM certificate, they are considered *enrolled* in SEMM. When the SEMM certificate is removed and control of UEFI settings is returned to the user of the device, the Surface device is considered *unenrolled* in SEMM. There are two administrative options you can use to manage SEMM and enrolled Surface devices – a standalone tool or integration with System Center Configuration Manager. The SEMM standalone tool, called the Microsoft Surface UEFI Configurator, is described in this article. For more information about how to manage SEMM with System Center Configuration Manager, see [Use System Center Configuration Manager to manage devices with SEMM](https://technet.microsoft.com/itpro/surface/use-system-center-configuration-manager-to-manage-devices-with-semm). + ## Microsoft Surface UEFI Configurator The primary workspace of SEMM is Microsoft Surface UEFI Configurator, as shown in Figure 1. Microsoft Surface UEFI Configurator is a tool that is used to create Windows Installer (.msi) packages or WinPE images that are used to enroll, configure, and unenroll SEMM on a Surface device. These packages contain a configuration file where the settings for UEFI are specified. SEMM packages also contain a certificate that is installed and stored in firmware and used to verify the signature of configuration files before UEFI settings are applied. @@ -33,8 +37,6 @@ The primary workspace of SEMM is Microsoft Surface UEFI Configurator, as shown i *Figure 1. Microsoft Surface UEFI Configurator* ->[!NOTE] ->Windows 10 is required to run Microsoft Surface UEFI Configurator You can use the Microsoft Surface UEFI Configurator tool in three modes: @@ -62,17 +64,9 @@ See the [Surface Enterprise Management Mode certificate requirements](#surface-e After a device is enrolled in SEMM, the configuration file is read and the settings specified in the file are applied to UEFI. When you run a configuration package on a device that is already enrolled in SEMM, the signature of the configuration file is checked against the certificate that is stored in the device firmware. If the signature does not match, no changes are applied to the device. -You can use Surface UEFI settings to enable or disable the operation of individual components, such as cameras, wireless communication, or docking USB port (as shown in Figure 3), and configure advanced settings (as shown in Figure 4). +### Enable or disable devices in Surface UEFI with SEMM - - -*Figure 3. Enable or disable devices in Surface UEFI with SEMM* - - - -*Figure 4. Configure advanced settings with SEMM* - -You can enable or disable the following devices with SEMM: +The following list shows all the available devices you can manage in SEMM: * Docking USB Port * On-board Audio @@ -86,31 +80,40 @@ You can enable or disable the following devices with SEMM: * Wi-Fi and Bluetooth * LTE -You can configure the following advanced settings with SEMM: + >[!NOTE] +>The built-in devices that appear in the UEFI Devices page may vary depending on your device or corporate environment. For example, the UEFI Devices page is not supported on Surface Pro X; LTE only appears on LTE-equipped devices. +### Configure advanced settings with SEMM +**Table 1. Advanced settings** + +| Setting | Description | +| ---------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| IPv6 for PXE Boot | Allows you to manage Ipv6 support for PXE boot. If you do not configure this setting, IPv6 support for PXE boot is disabled. | +| Alternate Boot | Allows you to manage use of an Alternate boot order to boot directly to a USB or Ethernet device by pressing both the Volume Down button and Power button during boot. If you do not configure this setting, Alternate boot is enabled. | +| Boot Order Lock | Allows you to lock the boot order to prevent changes. If you do not configure this setting, Boot Order Lock is disabled. | +| USB Boot | Allows you to manage booting to USB devices. If you do not configure this setting, USB Boot is enabled. | +| Network Stack | Allows you to manage Network Stack boot settings. If you do not configure this setting, the ability to manage Network Stack boot settings is enabled. | +| Auto Power On | Allows you to manage Auto Power On boot settings. If you do not configure this setting, Auto Power on is enabled. | +| Simultaneous Multi-Threading (SMT) | Allows you to manage Simultaneous Multi-Threading (SMT) to enable or disable hyperthreading. If you do not configure this setting, SMT is enabled. | +|Enable Battery limit| Allows you to manage Battery limit functionality. If you do not configure this setting, Battery limit is enabled | +| Security | Displays the Surface UEFI **Security** page. If you do not configure this setting, the Security page is displayed. | +| Devices | Displays the Surface UEFI **Devices** page. If you do not configure this setting, the Devices page is displayed. | +| Boot | Displays the Surface UEFI **Boot** page. If you do not configure this setting, the DateTime page is displayed. | +| DateTime | Displays the Surface UEFI **DateTime** page. If you do not configure this setting, the DateTime page is displayed. | + -* IPv6 support for PXE boot -* Alternate boot order, where the Volume Down button and Power button can be pressed together during boot, to boot directly to a USB or Ethernet device -* Lock the boot order to prevent changes -* Support for booting to USB devices -* Enable Network Stack boot settings -* Enable Auto Power On boot settings -* Display of the Surface UEFI **Security** page -* Display of the Surface UEFI **Devices** page -* Display of the Surface UEFI **Boot** page -* Display of the Surface UEFI **DateTime** page >[!NOTE] ->When you create a SEMM configuration package, two characters are shown on the **Successful** page, as shown in Figure 5. +>When you create a SEMM configuration package, two characters are shown on the **Successful** page, as shown in Figure 3.  -*Figure 5. Display of the last two characters of the certificate thumbprint on the Successful page* +*Figure 3. Display of the last two characters of the certificate thumbprint on the Successful page* -These characters are the last two characters of the certificate thumbprint and should be written down or recorded. The characters are required to confirm enrollment in SEMM on a Surface device, as shown in Figure 6. +These characters are the last two characters of the certificate thumbprint and should be written down or recorded. The characters are required to confirm enrollment in SEMM on a Surface device, as shown in Figure 4.  -*Figure 6. Enrollment confirmation in SEMM with the SEMM certificate thumbprint* +*Figure 4. Enrollment confirmation in SEMM with the SEMM certificate thumbprint* >[!NOTE] >Administrators with access to the certificate file (.pfx) can read the thumbprint at any time by opening the .pfx file in CertMgr. To view the thumbprint with CertMgr, follow this process: @@ -132,11 +135,11 @@ A Surface UEFI reset package is used to perform only one task — to unenroll a ### Recovery request -In some scenarios, it may be impossible to use a Surface UEFI reset package. (For example, if Windows becomes unusable on the Surface device.) In these scenarios you can unenroll the Surface device from SEMM through the **Enterprise Management** page of Surface UEFI (shown in Figure 7) with a Recovery Request operation. +In some scenarios, it may be impossible to use a Surface UEFI reset package. (For example, if Windows becomes unusable on the Surface device.) In these scenarios you can unenroll the Surface device from SEMM through the **Enterprise Management** page of Surface UEFI (shown in Figure 5) with a Recovery Request operation.  -*Figure 7. Initiate a SEMM recovery request on the Enterprise Management page* +*Figure 5. Initiate a SEMM recovery request on the Enterprise Management page* When you use the process on the **Enterprise Management** page to reset SEMM on a Surface device, you are provided with a Reset Request. This Reset Request can be saved as a file to a USB drive, copied as text, or read as a QR Code with a mobile device to be easily emailed or messaged. Use the Microsoft Surface UEFI Configurator Reset Request option to load a Reset Request file or enter the Reset Request text or QR Code. Microsoft Surface UEFI Configurator will generate a verification code that can be entered on the Surface device. If you enter the code on the Surface device and click **Restart**, the device will be unenrolled from SEMM. diff --git a/devices/surface/surface-manage-dfci-guide.md b/devices/surface/surface-manage-dfci-guide.md index b2988422c1..19a91301f7 100644 --- a/devices/surface/surface-manage-dfci-guide.md +++ b/devices/surface/surface-manage-dfci-guide.md @@ -17,7 +17,7 @@ ms.audience: itpro ## Introduction -The ability to manage devices from the cloud has dramatically simplified IT deployment and provisioning across the lifecycle. With Device Firmware Configuration Interface (DFCI) profiles built into Microsoft Intune (now available in public preview), Surface UEFI management extends the modern management stack down to the UEFI hardware level. DFCI supports zero-touch provisioning, eliminates BIOS passwords, provides control of security settings including boot options and built-in peripherals, and lays the groundwork for advanced security scenarios in the future. +The ability to manage devices from the cloud has dramatically simplified IT deployment and provisioning across the lifecycle. With Device Firmware Configuration Interface (DFCI) profiles built into Microsoft Intune (now available in [public preview](https://docs.microsoft.com/intune/configuration/device-firmware-configuration-interface-windows)), Surface UEFI management extends the modern management stack down to the UEFI hardware level. DFCI supports zero-touch provisioning, eliminates BIOS passwords, provides control of security settings including boot options and built-in peripherals, and lays the groundwork for advanced security scenarios in the future. For answers to frequently asked questions, see [Ignite 2019: Announcing remote management of Surface UEFI settings from Intune](https://techcommunity.microsoft.com/t5/Surface-IT-Pro-Blog/Ignite-2019-Announcing-remote-management-of-Surface-UEFI/ba-p/978333). ### Background @@ -167,6 +167,7 @@ If the original DFCI profile has been deleted, you can remove policy settings by 6. Validate DFCI is removed from the device in the UEFI. ## Learn more -- [Windows Autopilot](https://www.microsoft.com/microsoft-365/windows/windows-autopilot) +- [Ignite 2019: Announcing remote management of Surface UEFI settings from Intune](https://techcommunity.microsoft.com/t5/Surface-IT-Pro-Blog/Ignite-2019-Announcing-remote-management-of-Surface-UEFI/ba-p/978333) +[Windows Autopilot](https://www.microsoft.com/microsoft-365/windows/windows-autopilot) - [Windows Autopilot and Surface devices](windows-autopilot-and-surface-devices.md) - [Use DFCI profiles on Windows devices in Microsoft Intune](https://docs.microsoft.com/intune/configuration/device-firmware-configuration-interface-windows) diff --git a/devices/surface/surface-system-sku-reference.md b/devices/surface/surface-system-sku-reference.md index 6b6e75f7d4..74c348d2d1 100644 --- a/devices/surface/surface-system-sku-reference.md +++ b/devices/surface/surface-system-sku-reference.md @@ -9,9 +9,11 @@ ms.sitesec: library author: dansimp ms.author: dansimp ms.topic: article -ms.date: 03/20/2019 +ms.date: 10/31/2019 ms.reviewer: manager: dansimp +ms.localizationpriority: medium +ms.audience: itpro --- # System SKU reference @@ -39,6 +41,11 @@ System Model and System SKU are variables that are stored in the System Manageme | Surface Pro 6 Commercial | Surface Pro 6 | Surface_Pro_6_1796_Commercial | | Surface Laptop 2 Consumer | Surface Laptop 2 | Surface_Laptop_2_1769_Consumer | | Surface Laptop 2 Commercial | Surface Laptop 2 | Surface_Laptop_2_1769_Commercial | +| Surface Pro 7 | Surface Pro 7 | Surface_Pro_7_1866 | +| Surface Pro X | Surface Pro X | Surface_Pro_X_1876 | +| Surface Laptop 3 13" Intel | Surface Laptop 3 | Surface_Laptop_3_1867:1868 | +| Surface Laptop 3 15" Intel | Surface Laptop 3 | Surface_Laptop_3_1872 | +| Surface Laptop 3 15" AMD | Surface Laptop 3 | Surface_Laptop_3_1873 | ## Examples diff --git a/devices/surface/surface-wireless-connect.md b/devices/surface/surface-wireless-connect.md index fbbaec21e8..6e225137c2 100644 --- a/devices/surface/surface-wireless-connect.md +++ b/devices/surface/surface-wireless-connect.md @@ -6,16 +6,15 @@ ms.mktglfcycl: manage ms.sitesec: library author: dansimp ms.audience: itpro -ms.localizationpriority: normal +ms.localizationpriority: medium ms.author: dansimp ms.topic: article -ms.date: 08/15/2019 +ms.date: 10/31/2019 ms.reviewer: tokatz manager: dansimp --- # Optimize Wi-Fi connectivity for Surface devices -## Introduction To stay connected with all-day battery life, Surface devices implement wireless connectivity settings that balance performance and power conservation. Outside of the most demanding mobility scenarios, users can maintain sufficient wireless connectivity without modifying default network adapter or related settings. @@ -32,7 +31,7 @@ If you’re managing a wireless network that’s typically accessed by many diff - **802.11r.** “**Fast BSS Transition”** accelerates connecting to new wireless access points by reducing the number of frames required before your device can access another AP as you move around with your device. - **802.11k.** **“Neighbor Reports”** provides devices with information on current conditions at neighboring access points. It can help your Surface device choose the best AP using criteria other than signal strength such as AP utilization. -Surface Go devices can also use 802.11v “BSS Transition Management Frames,” which functions much like 802.11k in providing information on nearby candidate APs. +Specific Surface devices can also use 802.11v “BSS Transition Management Frames,” which functions much like 802.11k in providing information on nearby candidate APs. These include Surface Go, Surface Pro 7, Surface Pro X, and Surface Laptop 3. ## Managing user settings diff --git a/devices/surface/unenroll-surface-devices-from-semm.md b/devices/surface/unenroll-surface-devices-from-semm.md index edcfcdf120..39b70f6006 100644 --- a/devices/surface/unenroll-surface-devices-from-semm.md +++ b/devices/surface/unenroll-surface-devices-from-semm.md @@ -12,6 +12,8 @@ ms.topic: article ms.date: 01/06/2017 ms.reviewer: manager: dansimp +ms.localizationpriority: medium +ms.audience: itpro --- # Unenroll Surface devices from SEMM diff --git a/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md index 0432c65257..6c29966521 100644 --- a/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md +++ b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md @@ -9,9 +9,11 @@ ms.sitesec: library author: dansimp ms.author: dansimp ms.topic: article -ms.date: 02/01/2017 +ms.date: 10/31/2019 ms.reviewer: manager: dansimp +ms.localizationpriority: medium +ms.audience: itpro --- # Use System Center Configuration Manager to manage devices with SEMM @@ -382,7 +384,7 @@ To configure Surface UEFI settings or permissions for Surface UEFI settings, you The computer where ShowSettingsOptions.ps1 is run must have Microsoft Surface UEFI Manager installed, but the script does not require a Surface device. -The following tables show the available settings for Surface Pro 4 and Surface Book: +The following tables show the available settings for Surface Pro 4 and later including Surface Pro 7, Surface Book, Surface Laptop 3, and Surface Go. *Table 1. Surface UEFI settings for Surface Pro 4* diff --git a/education/docfx.json b/education/docfx.json index ccdccf2c7e..91c875c200 100644 --- a/education/docfx.json +++ b/education/docfx.json @@ -33,6 +33,7 @@ "breadcrumb_path": "/education/breadcrumb/toc.json", "ms.date": "05/09/2017", "feedback_system": "None", + "hideEdit": true, "_op_documentIdPathDepotMapping": { "./": { "depot_name": "Win.education", diff --git a/mdop/agpm/whats-new-in-agpm-40-sp3.md b/mdop/agpm/whats-new-in-agpm-40-sp3.md index dbe0512e16..d60031b011 100644 --- a/mdop/agpm/whats-new-in-agpm-40-sp3.md +++ b/mdop/agpm/whats-new-in-agpm-40-sp3.md @@ -189,7 +189,7 @@ The following table describes the behavior of AGPM 4.0 SP3 Client and Server in ## How to Get MDOP Technologies -AGPM 4.0 SP3 is a part of the Microsoft Desktop Optimization Pack (MDOP). MDOP is part of Microsoft Software Assurance. For more information about Microsoft Software Assurance and acquiring MDOP, see [How Do I Get MDOP](https://go.microsoft.com/fwlink/?LinkId=322049) (https://go.microsoft.com/fwlink/?LinkId=322049). +AGPM 4.0 SP3 is a part of the Microsoft Desktop Optimization Pack (MDOP) since MDOP 2015. MDOP is part of Microsoft Software Assurance. For more information about Microsoft Software Assurance and acquiring MDOP, see [How Do I Get MDOP](https://go.microsoft.com/fwlink/?LinkId=322049) (https://go.microsoft.com/fwlink/?LinkId=322049). ## Related topics diff --git a/smb/docfx.json b/smb/docfx.json index 5e53d296ed..14448aa33c 100644 --- a/smb/docfx.json +++ b/smb/docfx.json @@ -31,6 +31,7 @@ "globalMetadata": { "breadcrumb_path": "/windows/smb/breadcrumb/toc.json", "feedback_system": "None", + "hideEdit": true, "_op_documentIdPathDepotMapping": { "./": { "depot_name": "TechNet.smb", diff --git a/store-for-business/docfx.json b/store-for-business/docfx.json index aeefd6b341..760a988add 100644 --- a/store-for-business/docfx.json +++ b/store-for-business/docfx.json @@ -41,6 +41,7 @@ "Store" ], "feedback_system": "None", + "hideEdit": true, "_op_documentIdPathDepotMapping": { "./": { "depot_name": "MSDN.store-for-business", diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md index e1365a820c..c265525536 100644 --- a/windows/client-management/connect-to-remote-aadj-pc.md +++ b/windows/client-management/connect-to-remote-aadj-pc.md @@ -32,7 +32,8 @@ From its release, Windows 10 has supported remote connections to PCs that are jo ## Set up - Both PCs (local and remote) must be running Windows 10, version 1607 (or later). Remote connection to an Azure AD-joined PC that is running earlier versions of Windows 10 is not supported. -- Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-guard), a new feature in Windows 10, version 1607, is turned off on the client PC that you are using to connect to the remote PC. +- Your local PC (where you are connecting from) must be either Azure AD joined or Hybrid Azure AD joined. Remote connection to an Azure AD joined PC from an unjoined device or a non-Windows 10 device is not supported. +Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-guard), a new feature in Windows 10, version 1607, is turned off on the client PC that you are using to connect to the remote PC. - On the PC that you want to connect to: 1. Open system properties for the remote PC. 2. Enable **Allow remote connections to this computer** and select **Allow connections only from computers running Remote Desktop with Network Level Authentication**. diff --git a/windows/client-management/mdm/get-product-details.md b/windows/client-management/mdm/get-product-details.md index 9ab64f1f8b..18a0174509 100644 --- a/windows/client-management/mdm/get-product-details.md +++ b/windows/client-management/mdm/get-product-details.md @@ -1,6 +1,6 @@ --- title: Get product details -description: The Get product details operation retrieves the product information from the Micosoft Store for Business for a specific application. +description: The Get product details operation retrieves the product information from the Microsoft Store for Business for a specific application. ms.assetid: BC432EBA-CE5E-43BD-BD54-942774767286 ms.reviewer: manager: dansimp @@ -14,7 +14,7 @@ ms.date: 09/18/2017 # Get product details -The **Get product details** operation retrieves the product information from the Micosoft Store for Business for a specific application. +The **Get product details** operation retrieves the product information from the Microsoft Store for Business for a specific application. ## Request diff --git a/windows/client-management/mdm/reboot-csp.md b/windows/client-management/mdm/reboot-csp.md index 9711b4b2a4..70668fa9de 100644 --- a/windows/client-management/mdm/reboot-csp.md +++ b/windows/client-management/mdm/reboot-csp.md @@ -38,9 +38,11 @@ The following diagram shows the Reboot configuration service provider management
The supported operation is Get.
**Schedule/Single** -This node will execute a reboot at a scheduled date and time. Setting a null (empty) date will delete the existing schedule. The date and time value is ISO8601, and both the date and time are required. +
This node will execute a reboot at a scheduled date and time. The date and time value is **ISO 8601**, and both the date and time are required. Example to configure: 2018-10-25T18:00:00
+Setting a null (empty) date will delete the existing schedule. In accordance with the ISO 8601 format, the date and time representation needs to be 0000-00-00T00:00:00. +The supported operations are Get, Add, Replace, and Delete.
**Schedule/DailyRecurrent** @@ -53,13 +55,3 @@ Example to configure: 2018-10-25T18:00:00 [Configuration service provider reference](configuration-service-provider-reference.md) - - - - - - - - - - diff --git a/windows/configuration/docfx.json b/windows/configuration/docfx.json index e8e03a3ba7..4986e61b5d 100644 --- a/windows/configuration/docfx.json +++ b/windows/configuration/docfx.json @@ -36,6 +36,7 @@ "audience": "ITPro", "ms.topic": "article", "feedback_system": "None", + "hideEdit": true, "_op_documentIdPathDepotMapping": { "./": { "depot_name": "MSDN.win-configuration", diff --git a/windows/configure/docfx.json b/windows/configure/docfx.json index 32e84ef526..3dcf319a94 100644 --- a/windows/configure/docfx.json +++ b/windows/configure/docfx.json @@ -31,6 +31,7 @@ "externalReference": [], "globalMetadata": { "feedback_system": "None", + "hideEdit": true, "_op_documentIdPathDepotMapping": { "./": { "depot_name": "MSDN.windows-configure" diff --git a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md index 396ef254fd..adb1e56155 100644 --- a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md +++ b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md @@ -88,6 +88,9 @@ This is the Bring Your Own Device (BYOD) method--your device will receive Olympi - This method will upgrade your Windows 10 Pro license to Enterprise and create a new account. See [Set up Azure Active Directory joined devices](https://docs.microsoft.com/azure/active-directory/device-management-azuread-joined-devices-setup) for more information. + > [!NOTE] + > Make sure that you save your Pro license key before upgrading to the Enterprise edition. If the device gets disconnected from Olympia, you can use the Pro key to reactivate the license manually in the unlikely event that the license fails to downgrade back to Pro automatically. To reactivate manually, see [Upgrade by manually entering a product key](https://docs.microsoft.com/windows/deployment/upgrade/windows-10-edition-upgrades#upgrade-by-manually-entering-a-product-key). + 1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your device (see [local administrator](https://support.microsoft.com/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)).  diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md index 96e833ec0a..479877ca3a 100644 --- a/windows/deployment/update/waas-manage-updates-wufb.md +++ b/windows/deployment/update/waas-manage-updates-wufb.md @@ -46,14 +46,14 @@ Windows Update for Business provides management policies for several types of up ## Offering -You can control when updates are applied, for example by deferring when an update is installed on a device or by pausing updates for a certain period of time. +You can control when updates are applied, for example by deferring when an update is installed on a device or by pausing updates for a certain period. ### Manage which updates are offered Windows Update for Business offers you the ability to turn on or off both driver and Microsoft product updates. - Drivers (on/off): When "on," this policy will not include drivers with Windows Update. -- Microsoft product updates (on/off): When "on" this policy will install udpates for other Microsoft products. +- Microsoft product updates (on/off): When "on" this policy will install updates for other Microsoft products. ### Manage when updates are offered @@ -90,11 +90,19 @@ The branch readiness level enables administrators to specify which channel of fe Prior to Windows 10, version 1903, there are two channels for released updates: Semi-annual Channel and Semi-annual Channel (Targeted). Deferral days are calculated against the release date of the chosen channel. Starting with Windows 10, version 1903 there is only the one release channel: Semi-annual Channel. All deferral days will be calculated against a release’s Semi-annual Channel release date. To see release dates, visit [Windows Release Information](https://docs.microsoft.com/windows/release-information/). You can set the branch readiness level by using the **Select when Preview Builds and Feature Updates are Received** policy. In order to use this to manage pre-release builds, first enable preview builds by using the **Manage preview Builds** policy. +### Recommendations + +For the best experience with Windows Update, follow these guidelines: + +- Use devices for at least 6 hours per month, including at least 2 hours of continuous use. +- Keep devices regularly charged. Plugging in devices overnight enables them to automatically update outside of active hours. +- Make sure that devices have at least 10 GB of free space. +- Give devices unobstructed access to the Windows Update service. ## Monitor Windows Updates by using Update Compliance -Update Compliance provides a holistic view of operating system update compliance, update deployment progress, and failure troubleshooting for Windows 10 devices. This service uses diagnostic data including installation progress, Windows Update configuration, and other information to provide such insights, at no extra cost and without additional infrastructure requirements. Whether used with Windows Update for Business or other management tools, you can be assured that your devices are properly updated. +Update Compliance provides a holistic view of operating system update compliance, update deployment progress, and failure troubleshooting for Windows 10 devices. This service uses diagnostic data including installation progress, Windows Update configuration, and other information to provide such insights, at no extra cost and without extra infrastructure requirements. Whether used with Windows Update for Business or other management tools, you can be assured that your devices are properly updated.  diff --git a/windows/deployment/update/windows-update-error-reference.md b/windows/deployment/update/windows-update-error-reference.md index fd014ccd65..044398b870 100644 --- a/windows/deployment/update/windows-update-error-reference.md +++ b/windows/deployment/update/windows-update-error-reference.md @@ -17,351 +17,351 @@ ms.topic: article # Windows Update error codes by component ->Applies to: Windows 10 +> Applies to: Windows 10 This section lists the error codes for Microsoft Windows Update. + +## Automatic Update Errors + +| Error code | Message | Description | +|------------|---------------------------------|--------------------------------------------------------------------------------------------------------| +| 0x80243FFF | `WU_E_AUCLIENT_UNEXPECTED` | There was a user interface error not covered by another `WU_E_AUCLIENT_*` error code. | +| 0x8024A000 | `WU_E_AU_NOSERVICE` | Automatic Updates was unable to service incoming requests. | +| 0x8024A002 | `WU_E_AU_NONLEGACYSERVER` | The old version of the Automatic Updates client has stopped because the WSUS server has been upgraded. | +| 0x8024A003 | `WU_E_AU_LEGACYCLIENTDISABLED` | The old version of the Automatic Updates client was disabled. | +| 0x8024A004 | `WU_E_AU_PAUSED` | Automatic Updates was unable to process incoming requests because it was paused. | +| 0x8024A005 | `WU_E_AU_NO_REGISTERED_SERVICE` | No unmanaged service is registered with `AU`. | +| 0x8024AFFF | `WU_E_AU_UNEXPECTED` | An Automatic Updates error not covered by another `WU_E_AU*` code. | + +## Windows Update UI errors + +| Error code | Message | Description | +|------------|---------------------------------------------|--------------------------------------------------------------------------------------------------------------------------| +| 0x80243001 | `WU_E_INSTALLATION_RESULTS_UNKNOWN_VERSION` | The results of download and installation could not be read from the registry due to an unrecognized data format version. | +| 0x80243002 | `WU_E_INSTALLATION_RESULTS_INVALID_DATA` | The results of download and installation could not be read from the registry due to an invalid data format. | +| 0x80243003 | `WU_E_INSTALLATION_RESULTS_NOT_FOUND` | The results of download and installation are not available; the operation may have failed to start. | +| 0x80243004 | `WU_E_TRAYICON_FAILURE` | A failure occurred when trying to create an icon in the taskbar notification area. | +| 0x80243FFD | `WU_E_NON_UI_MODE` | Unable to show UI when in non-UI mode; WU client UI modules may not be installed. | +| 0x80243FFE | `WU_E_WUCLTUI_UNSUPPORTED_VERSION` | Unsupported version of WU client UI exported functions. | +| 0x80243FFF | `WU_E_AUCLIENT_UNEXPECTED` | There was a user interface error not covered by another `WU_E_AUCLIENT_*` error code. | + +## Inventory errors + +| Error code | Message | Description | +|------------|--------------------------------------------|-------------------------------------------------------------------------------| +| 0x80249001 | `WU_E_INVENTORY_PARSEFAILED` | Parsing of the rule file failed. | +| 0x80249002 | `WU_E_INVENTORY_GET_INVENTORY_TYPE_FAILED` | Failed to get the requested inventory type from the server. | +| 0x80249003 | `WU_E_INVENTORY_RESULT_UPLOAD_FAILED` | Failed to upload inventory result to the server. | +| 0x80249004 | `WU_E_INVENTORY_UNEXPECTED` | There was an inventory error not covered by another error code. | +| 0x80249005 | `WU_E_INVENTORY_WMI_ERROR` | A WMI error occurred when enumerating the instances for a particular class. | + +## Expression evaluator errors + +| Error code | Message | Description | +|------------|---------------------------------|--------------------------------------------------------------------------------------------------------------------------------| +| 0x8024E001 | `WU_E_EE_UNKNOWN_EXPRESSION` | An expression evaluator operation could not be completed because an expression was unrecognized. | +| 0x8024E002 | `WU_E_EE_INVALID_EXPRESSION` | An expression evaluator operation could not be completed because an expression was invalid. | +| 0x8024E003 | `WU_E_EE_MISSING_METADATA` | An expression evaluator operation could not be completed because an expression contains an incorrect number of metadata nodes. | +| 0x8024E004 | `WU_E_EE_INVALID_VERSION` | An expression evaluator operation could not be completed because the version of the serialized expression data is invalid. | +| 0x8024E005 | `WU_E_EE_NOT_INITIALIZED` | The expression evaluator could not be initialized. | +| 0x8024E006 | `WU_E_EE_INVALID_ATTRIBUTEDATA` | An expression evaluator operation could not be completed because there was an invalid attribute. | +| 0x8024E007 | `WU_E_EE_CLUSTER_ERROR` | An expression evaluator operation could not be completed because the cluster state of the computer could not be determined. | +| 0x8024EFFF | `WU_E_EE_UNEXPECTED` | There was an expression evaluator error not covered by another `WU_E_EE_*` error code. | -## Automatic Update Errors +## Reporter errors -| Error code | Message | Description | -|------------|-------------------------------|--------------------------------------------------------------------------------------------------------| -| 0x80243FFF | WU_E_AUCLIENT_UNEXPECTED | There was a user interface error not covered by another WU_E_AUCLIENT_\* error code. | -| 0x8024A000 | WU_E_AU_NOSERVICE | Automatic Updates was unable to service incoming requests. | -| 0x8024A002 | WU_E_AU_NONLEGACYSERVER | The old version of the Automatic Updates client has stopped because the WSUS server has been upgraded. | -| 0x8024A003 | WU_E_AU_LEGACYCLIENTDISABLED | The old version of the Automatic Updates client was disabled. | -| 0x8024A004 | WU_E_AU_PAUSED | Automatic Updates was unable to process incoming requests because it was paused. | -| 0x8024A005 | WU_E_AU_NO_REGISTERED_SERVICE | No unmanaged service is registered with AU. | -| 0x8024AFFF | WU_E_AU_UNEXPECTED | An Automatic Updates error not covered by another WU_E_AU \* code. | - -## Windows Update UI errors +| Error code | Message | Description | +|------------|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------| +| 0x80247001 | `WU_E_OL_INVALID_SCANFILE` | An operation could not be completed because the scan package was invalid. | +| 0x80247002 | `WU_E_OL_NEWCLIENT_REQUIRED` | An operation could not be completed because the scan package requires a greater version of the Windows Update Agent. | +| 0x80247FFF | `WU_E_OL_UNEXPECTED` | Search using the scan package failed. | +| 0x8024F001 | `WU_E_REPORTER_EVENTCACHECORRUPT` | The event cache file was defective. | +| 0x8024F002 | `WU_E_REPORTER_EVENTNAMESPACEPARSEFAILED` | The XML in the event namespace descriptor could not be parsed. | +| 0x8024F003 | `WU_E_INVALID_EVENT` | The XML in the event namespace descriptor could not be parsed. | +| 0x8024F004 | `WU_E_SERVER_BUSY` | The server rejected an event because the server was too busy. | +| 0x8024FFFF | `WU_E_REPORTER_UNEXPECTED` | There was a reporter error not covered by another error code. | -| Error code | Message | Description | -|------------|-------------------------------------------|--------------------------------------------------------------------------------------------------------------------------| -| 0x80243001 | WU_E_INSTALLATION_RESULTS_UNKNOWN_VERSION | The results of download and installation could not be read from the registry due to an unrecognized data format version. | -| 0x80243002 | WU_E_INSTALLATION_RESULTS_INVALID_DATA | The results of download and installation could not be read from the registry due to an invalid data format. | -| 0x80243003 | WU_E_INSTALLATION_RESULTS_NOT_FOUND | The results of download and installation are not available; the operation may have failed to start. | -| 0x80243004 | WU_E_TRAYICON_FAILURE | A failure occurred when trying to create an icon in the taskbar notification area. | -| 0x80243FFD | WU_E_NON_UI_MODE | Unable to show UI when in non-UI mode; WU client UI modules may not be installed. | -| 0x80243FFE | WU_E_WUCLTUI_UNSUPPORTED_VERSION | Unsupported version of WU client UI exported functions. | -| 0x80243FFF | WU_E_AUCLIENT_UNEXPECTED | There was a user interface error not covered by another WU_E_AUCLIENT_\* error code. | - -## Inventory errors +## Redirector errors +The components that download the `Wuredir.cab` file and then parse the `Wuredir.cab` file generate the following errors. -| Error code | Message | Description | -|------------|-------------------------------------------|-------------------------------------------------------------------------------| -| 0x80249001 | WU_E_INVENTORY_PARSEFAILED | Parsing of the rule file failed. | -| 0x80249002 | WU_E_INVENTORY_GET_INVENTORY_TYPE_FAILED | Failed to get the requested inventory type from the server. | -| 0x80249003 | WU_E_INVENTORY_RESULT_UPLOAD_FAILED | Failed to upload inventory result to the server. | -| 0x80249004 | WU_E_INVENTORY_UNEXPECTED | There was an inventory error not covered by another error code. | -| 0x80249005 | WU_E_INVENTORY_WMI_ERROR | A WMI error occurred when enumerating the instances for a particular class. | - -## Expression evaluator errors +| Error code | Message | Description | +|----------- |------------------------------|------------------------------------------------------------------------------------------| +| 0x80245001 | `WU_E_REDIRECTOR_LOAD_XML` | The redirector XML document could not be loaded into the DOM class. | +| 0x80245002 | `WU_E_REDIRECTOR_S_FALSE` | The redirector XML document is missing some required information. | +| 0x80245003 | `WU_E_REDIRECTOR_ID_SMALLER` | The redirectorId in the downloaded redirector cab is less than in the cached cab. | +| 0x80245FFF | `WU_E_REDIRECTOR_UNEXPECTED` | The redirector failed for reasons not covered by another `WU_E_REDIRECTOR_*` error code. | -| Error code | Message | Description | -|-------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------| -| 0x8024E001 | WU_E_EE_UNKNOWN_EXPRESSION | An expression evaluator operation could not be completed because an expression was unrecognized. | -| 0x8024E002 | WU_E_EE_INVALID_EXPRESSION | An expression evaluator operation could not be completed because an expression was invalid. | -| 0x8024E003 | WU_E_EE_MISSING_METADATA | An expression evaluator operation could not be completed because an expression contains an incorrect number of metadata nodes. | -| 0x8024E004 | WU_E_EE_INVALID_VERSION | An expression evaluator operation could not be completed because the version of the serialized expression data is invalid. | -| 0x8024E005 | WU_E_EE_NOT_INITIALIZED | The expression evaluator could not be initialized. | -| 0x8024E006 | WU_E_EE_INVALID_ATTRIBUTEDATA | An expression evaluator operation could not be completed because there was an invalid attribute. | -| 0x8024E007 | WU_E_EE_CLUSTER_ERROR | An expression evaluator operation could not be completed because the cluster state of the computer could not be determined. | -| 0x8024EFFF | WU_E_EE_UNEXPECTED | There was an expression evaluator error not covered by another WU_E_EE_\* error code. | - -## Reporter errors - -| Error code | Message | Description | -|-------------|------------------------------------------|-----------------------------------------------------------------------------------------------------------------------| -| 0x80247001 | WU_E_OL_INVALID_SCANFILE | An operation could not be completed because the scan package was invalid. | -| 0x80247002 | WU_E_OL_NEWCLIENT_REQUIRED | An operation could not be completed because the scan package requires a greater version of the Windows Update Agent. | -| 0x80247FFF | WU_E_OL_UNEXPECTED | Search using the scan package failed. | -| 0x8024F001 | WU_E_REPORTER_EVENTCACHECORRUPT | The event cache file was defective. | -| 0x8024F002 | WU_E_REPORTER_EVENTNAMESPACEPARSEFAILED | The XML in the event namespace descriptor could not be parsed. | -| 0x8024F003 | WU_E_INVALID_EVENT | The XML in the event namespace descriptor could not be parsed. | -| 0x8024F004 | WU_E_SERVER_BUSY | The server rejected an event because the server was too busy. | -| 0x8024FFFF | WU_E_REPORTER_UNEXPECTED | There was a reporter error not covered by another error code. | - -## Redirector errors -The components that download the Wuredir.cab file and then parse the Wuredir.cab file generate the following errors. - -|Error code|Message|Description | -|-|-|-| -| 0x80245001| WU_E_REDIRECTOR_LOAD_XML| The redirector XML document could not be loaded into the DOM class. | -| 0x80245002| WU_E_REDIRECTOR_S_FALSE| The redirector XML document is missing some required information. | -| 0x80245003| WU_E_REDIRECTOR_ID_SMALLER| The redirectorId in the downloaded redirector cab is less than in the cached cab. | -| 0x80245FFF| WU_E_REDIRECTOR_UNEXPECTED| The redirector failed for reasons not covered by another WU_E_REDIRECTOR_* error code. | - -## Protocol Talker errors -The following errors map to SOAPCLIENT_ERRORs through the Atlsoap.h file. These errors are obtained when the CClientWebService object calls the GetClientError() method. +## Protocol Talker errors +The following errors map to `SOAPCLIENT_ERROR`s through the `Atlsoap.h` file. These errors are obtained when the `CClientWebService` object calls the `GetClientError()` method. -| Error code | Message | Description | -|-------------|---------------------------------|------------------------------------------------------------------------------------------------------------------------------------| -| 0x80244000 | WU_E_PT_SOAPCLIENT_BASE | WU_E_PT_SOAPCLIENT_\* error codes map to the SOAPCLIENT_ERROR enum of the ATL Server Library. | -| 0x80244001 | WU_E_PT_SOAPCLIENT_INITIALIZE | Same as SOAPCLIENT_INITIALIZE_ERROR - initialization of the SOAP client failed possibly because of an MSXML installation failure. | -| 0x80244002 | WU_E_PT_SOAPCLIENT_OUTOFMEMORY | Same as SOAPCLIENT_OUTOFMEMORY - SOAP client failed because it ran out of memory. | -| 0x80244003 | WU_E_PT_SOAPCLIENT_GENERATE | Same as SOAPCLIENT_GENERATE_ERROR - SOAP client failed to generate the request. | -| 0x80244004 | WU_E_PT_SOAPCLIENT_CONNECT | Same as SOAPCLIENT_CONNECT_ERROR - SOAP client failed to connect to the server. | -| 0x80244005 | WU_E_PT_SOAPCLIENT_SEND | Same as SOAPCLIENT_SEND_ERROR - SOAP client failed to send a message for reasons of WU_E_WINHTTP_\* error codes. | -| 0x80244006 | WU_E_PT_SOAPCLIENT_SERVER | Same as SOAPCLIENT_SERVER_ERROR - SOAP client failed because there was a server error. | -| 0x80244007 | WU_E_PT_SOAPCLIENT_SOAPFAULT | Same as SOAPCLIENT_SOAPFAULT - SOAP client failed because there was a SOAP fault for reasons of WU_E_PT_SOAP_\* error codes. | -| 0x80244008 | WU_E_PT_SOAPCLIENT_PARSEFAULT | Same as SOAPCLIENT_PARSEFAULT_ERROR - SOAP client failed to parse a SOAP fault. | -| 0x80244009 | WU_E_PT_SOAPCLIENT_READ | Same as SOAPCLIENT_READ_ERROR - SOAP client failed while reading the response from the server. | -| 0x8024400A | WU_E_PT_SOAPCLIENT_PARSE | Same as SOAPCLIENT_PARSE_ERROR - SOAP client failed to parse the response from the server. | - -## Other Protocol Talker errors -The following errors map to SOAP_ERROR_CODEs from the Atlsoap.h file. These errors are obtained from the m_fault.m_soapErrCode member of the CClientWebService object when GetClientError() returns SOAPCLIENT_SOAPFAULT. +| Error code | Message | Description | +|------------|----------------------------------|---------------------------------------------------------------------------------------------------------------------------------------| +| 0x80244000 | `WU_E_PT_SOAPCLIENT_BASE` | `WU_E_PT_SOAPCLIENT_*` error codes map to the `SOAPCLIENT_ERROR` enum of the ATL Server Library. | +| 0x80244001 | `WU_E_PT_SOAPCLIENT_INITIALIZE` | Same as `SOAPCLIENT_INITIALIZE_ERROR` - initialization of the `SOAP` client failed possibly because of an MSXML installation failure. | +| 0x80244002 | `WU_E_PT_SOAPCLIENT_OUTOFMEMORY` | Same as `SOAPCLIENT_OUTOFMEMORY` - `SOAP` client failed because it ran out of memory. | +| 0x80244003 | `WU_E_PT_SOAPCLIENT_GENERATE` | Same as `SOAPCLIENT_GENERATE_ERROR` - `SOAP` client failed to generate the request. | +| 0x80244004 | `WU_E_PT_SOAPCLIENT_CONNECT` | Same as `SOAPCLIENT_CONNECT_ERROR` - `SOAP` client failed to connect to the server. | +| 0x80244005 | `WU_E_PT_SOAPCLIENT_SEND` | Same as `SOAPCLIENT_SEND_ERROR` - `SOAP` client failed to send a message for reasons of `WU_E_WINHTTP_*` error codes. | +| 0x80244006 | `WU_E_PT_SOAPCLIENT_SERVER` | Same as `SOAPCLIENT_SERVER_ERROR` - `SOAP` client failed because there was a server error. | +| 0x80244007 | `WU_E_PT_SOAPCLIENT_SOAPFAULT` | Same as `SOAPCLIENT_SOAPFAULT` - `SOAP` client failed because there was a SOAP fault for reasons of `WU_E_PT_SOAP_*` error codes. | +| 0x80244008 | `WU_E_PT_SOAPCLIENT_PARSEFAULT` | Same as `SOAPCLIENT_PARSEFAULT_ERROR` - `SOAP` client failed to parse a `SOAP` fault. | +| 0x80244009 | `WU_E_PT_SOAPCLIENT_READ` | Same as `SOAPCLIENT_READ_ERROR` - `SOAP` client failed while reading the response from the server. | +| 0x8024400A | `WU_E_PT_SOAPCLIENT_PARSE` | Same as `SOAPCLIENT_PARSE_ERROR` - `SOAP` client failed to parse the response from the server. | + +## Other Protocol Talker errors +The following errors map to `SOAP_ERROR_CODE`s from the `Atlsoap.h` file. These errors are obtained from the `m_fault.m_soapErrCode` member of the `CClientWebService` object when `GetClientError()` returns `SOAPCLIENT_SOAPFAULT`. -| Error code | Message | Description | -|-------------|---------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 0x8024400B | WU_E_PT_SOAP_VERSION | Same as SOAP_E_VERSION_MISMATCH - SOAP client found an unrecognizable namespace for the SOAP envelope. | -| 0x8024400C | WU_E_PT_SOAP_MUST_UNDERSTAND | Same as SOAP_E_MUST_UNDERSTAND - SOAP client was unable to understand a header. | -| 0x8024400D | WU_E_PT_SOAP_CLIENT | Same as SOAP_E_CLIENT - SOAP client found the message was malformed; fix before resending. | -| 0x8024400E | WU_E_PT_SOAP_SERVER | Same as SOAP_E_SERVER - The SOAP message could not be processed due to a server error; resend later. | -| 0x8024400F | WU_E_PT_WMI_ERROR | There was an unspecified Windows Management Instrumentation (WMI) error. | -| 0x80244010 | WU_E_PT_EXCEEDED_MAX_SERVER_TRIPS | The number of round trips to the server exceeded the maximum limit. | -| 0x80244011 | WU_E_PT_SUS_SERVER_NOT_SET | WUServer policy value is missing in the registry. | -| 0x80244012 | WU_E_PT_DOUBLE_INITIALIZATION | Initialization failed because the object was already initialized. | -| 0x80244013 | WU_E_PT_INVALID_COMPUTER_NAME | The computer name could not be determined. | -| 0x80244015 | WU_E_PT_REFRESH_CACHE_REQUIRED | The reply from the server indicates that the server was changed or the cookie was invalid; refresh the state of the internal cache and retry. | -| 0x80244016 | WU_E_PT_HTTP_STATUS_BAD_REQUEST | Same as HTTP status 400 - the server could not process the request due to invalid syntax. | -| 0x80244017 | WU_E_PT_HTTP_STATUS_DENIED | Same as HTTP status 401 - the requested resource requires user authentication. | -| 0x80244018 | WU_E_PT_HTTP_STATUS_FORBIDDEN | Same as HTTP status 403 - server understood the request but declined to fulfill it. | -| 0x80244019 | WU_E_PT_HTTP_STATUS_NOT_FOUND | Same as HTTP status 404 - the server cannot find the requested URI (Uniform Resource Identifier). | -| 0x8024401A | WU_E_PT_HTTP_STATUS_BAD_METHOD | Same as HTTP status 405 - the HTTP method is not allowed. | -| 0x8024401B | WU_E_PT_HTTP_STATUS_PROXY_AUTH_REQ | Same as HTTP status 407 - proxy authentication is required. | -| 0x8024401C | WU_E_PT_HTTP_STATUS_REQUEST_TIMEOUT | Same as HTTP status 408 - the server timed out waiting for the request. | -| 0x8024401D | WU_E_PT_HTTP_STATUS_CONFLICT | Same as HTTP status 409 - the request was not completed due to a conflict with the current state of the resource. | -| 0x8024401E | WU_E_PT_HTTP_STATUS_GONE | Same as HTTP status 410 - requested resource is no longer available at the server. | -| 0x8024401F | WU_E_PT_HTTP_STATUS_SERVER_ERROR | Same as HTTP status 500 - an error internal to the server prevented fulfilling the request. | -| 0x80244020 | WU_E_PT_HTTP_STATUS_NOT_SUPPORTED | Same as HTTP status 500 - server does not support the functionality required to fulfill the request. | -| 0x80244021 | WU_E_PT_HTTP_STATUS_BAD_GATEWAY | Same as HTTP status 502 - the server while acting as a gateway or a proxy received an invalid response from the upstream server it accessed in attempting to fulfil the request. | -| 0x80244022 | WU_E_PT_HTTP_STATUS_SERVICE_UNAVAIL | Same as HTTP status 503 - the service is temporarily overloaded. | -| 0x80244023 | WU_E_PT_HTTP_STATUS_GATEWAY_TIMEOUT | Same as HTTP status 503 - the request was timed out waiting for a gateway. | -| 0x80244024 | WU_E_PT_HTTP_STATUS_VERSION_NOT_SUP | Same as HTTP status 505 - the server does not support the HTTP protocol version used for the request. | -| 0x80244025 | WU_E_PT_FILE_LOCATIONS_CHANGED | Operation failed due to a changed file location; refresh internal state and resend. | -| 0x80244026 | WU_E_PT_REGISTRATION_NOT_SUPPORTED | Operation failed because Windows Update Agent does not support registration with a non-WSUS server. | -| 0x80244027 | WU_E_PT_NO_AUTH_PLUGINS_REQUESTED | The server returned an empty authentication information list. | -| 0x80244028 | WU_E_PT_NO_AUTH_COOKIES_CREATED | Windows Update Agent was unable to create any valid authentication cookies. | -| 0x80244029 | WU_E_PT_INVALID_CONFIG_PROP | A configuration property value was wrong. | -| 0x8024402A | WU_E_PT_CONFIG_PROP_MISSING | A configuration property value was missing. | -| 0x8024402B | WU_E_PT_HTTP_STATUS_NOT_MAPPED | The HTTP request could not be completed and the reason did not correspond to any of the WU_E_PT_HTTP_\* error codes. | -| 0x8024402C | WU_E_PT_WINHTTP_NAME_NOT_RESOLVED | Same as ERROR_WINHTTP_NAME_NOT_RESOLVED - the proxy server or target server name cannot be resolved. | -| 0x8024402F | WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS | External cab file processing completed with some errors. | -| 0x80244030 | WU_E_PT_ECP_INIT_FAILED | The external cab processor initialization did not complete. | -| 0x80244031 | WU_E_PT_ECP_INVALID_FILE_FORMAT | The format of a metadata file was invalid. | -| 0x80244032 | WU_E_PT_ECP_INVALID_METADATA | External cab processor found invalid metadata. | -| 0x80244033 | WU_E_PT_ECP_FAILURE_TO_EXTRACT_DIGEST | The file digest could not be extracted from an external cab file. | -| 0x80244034 | WU_E_PT_ECP_FAILURE_TO_DECOMPRESS_CAB_FILE | An external cab file could not be decompressed. | -| 0x80244035 | WU_E_PT_ECP_FILE_LOCATION_ERROR | External cab processor was unable to get file locations. | -| 0x80244FFF | WU_E_PT_UNEXPECTED | A communication error not covered by another WU_E_PT_\* error code. | -| 0x8024502D | WU_E_PT_SAME_REDIR_ID | Windows Update Agent failed to download a redirector cabinet file with a new redirectorId value from the server during the recovery. | -| 0x8024502E | WU_E_PT_NO_MANAGED_RECOVER | A redirector recovery action did not complete because the server is managed. | - -## Download Manager errors +| Error code | Message | Description | +|------------|----------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 0x8024400B | `WU_E_PT_SOAP_VERSION` | Same as `SOAP_E_VERSION_MISMATCH` - `SOAP` client found an unrecognizable namespace for the `SOAP` envelope. | +| 0x8024400C | `WU_E_PT_SOAP_MUST_UNDERSTAND` | Same as `SOAP_E_MUST_UNDERSTAND` - `SOAP` client was unable to understand a header. | +| 0x8024400D | `WU_E_PT_SOAP_CLIENT` | Same as `SOAP_E_CLIENT` - `SOAP` client found the message was malformed; fix before resending. | +| 0x8024400E | `WU_E_PT_SOAP_SERVER` | Same as `SOAP_E_SERVER` - The `SOAP` message could not be processed due to a server error; resend later. | +| 0x8024400F | `WU_E_PT_WMI_ERROR` | There was an unspecified Windows Management Instrumentation (WMI) error. | +| 0x80244010 | `WU_E_PT_EXCEEDED_MAX_SERVER_TRIPS` | The number of round trips to the server exceeded the maximum limit. | +| 0x80244011 | `WU_E_PT_SUS_SERVER_NOT_SET` | WUServer policy value is missing in the registry. | +| 0x80244012 | `WU_E_PT_DOUBLE_INITIALIZATION` | Initialization failed because the object was already initialized. | +| 0x80244013 | `WU_E_PT_INVALID_COMPUTER_NAME` | The computer name could not be determined. | +| 0x80244015 | `WU_E_PT_REFRESH_CACHE_REQUIRED` | The reply from the server indicates that the server was changed or the cookie was invalid; refresh the state of the internal cache and retry. | +| 0x80244016 | `WU_E_PT_HTTP_STATUS_BAD_REQUEST` | Same as HTTP status 400 - the server could not process the request due to invalid syntax. | +| 0x80244017 | `WU_E_PT_HTTP_STATUS_DENIED` | Same as HTTP status 401 - the requested resource requires user authentication. | +| 0x80244018 | `WU_E_PT_HTTP_STATUS_FORBIDDEN` | Same as HTTP status 403 - server understood the request but declined to fulfill it. | +| 0x80244019 | `WU_E_PT_HTTP_STATUS_NOT_FOUND` | Same as HTTP status 404 - the server cannot find the requested URI (Uniform Resource Identifier). | +| 0x8024401A | `WU_E_PT_HTTP_STATUS_BAD_METHOD` | Same as HTTP status 405 - the HTTP method is not allowed. | +| 0x8024401B | `WU_E_PT_HTTP_STATUS_PROXY_AUTH_REQ` | Same as HTTP status 407 - proxy authentication is required. | +| 0x8024401C | `WU_E_PT_HTTP_STATUS_REQUEST_TIMEOUT` | Same as HTTP status 408 - the server timed out waiting for the request. | +| 0x8024401D | `WU_E_PT_HTTP_STATUS_CONFLICT` | Same as HTTP status 409 - the request was not completed due to a conflict with the current state of the resource. | +| 0x8024401E | `WU_E_PT_HTTP_STATUS_GONE` | Same as HTTP status 410 - requested resource is no longer available at the server. | +| 0x8024401F | `WU_E_PT_HTTP_STATUS_SERVER_ERROR` | Same as HTTP status 500 - an error internal to the server prevented fulfilling the request. | +| 0x80244020 | `WU_E_PT_HTTP_STATUS_NOT_SUPPORTED` | Same as HTTP status 500 - server does not support the functionality required to fulfill the request. | +| 0x80244021 | `WU_E_PT_HTTP_STATUS_BAD_GATEWAY` | Same as HTTP status 502 - the server while acting as a gateway or a proxy received an invalid response from the upstream server it accessed in attempting to fulfill the request. | +| 0x80244022 | `WU_E_PT_HTTP_STATUS_SERVICE_UNAVAIL` | Same as HTTP status 503 - the service is temporarily overloaded. | +| 0x80244023 | `WU_E_PT_HTTP_STATUS_GATEWAY_TIMEOUT` | Same as HTTP status 503 - the request was timed out waiting for a gateway. | +| 0x80244024 | `WU_E_PT_HTTP_STATUS_VERSION_NOT_SUP` | Same as HTTP status 505 - the server does not support the HTTP protocol version used for the request. | +| 0x80244025 | `WU_E_PT_FILE_LOCATIONS_CHANGED` | Operation failed due to a changed file location; refresh internal state and resend. | +| 0x80244026 | `WU_E_PT_REGISTRATION_NOT_SUPPORTED` | Operation failed because Windows Update Agent does not support registration with a non-WSUS server. | +| 0x80244027 | `WU_E_PT_NO_AUTH_PLUGINS_REQUESTED` | The server returned an empty authentication information list. | +| 0x80244028 | `WU_E_PT_NO_AUTH_COOKIES_CREATED` | Windows Update Agent was unable to create any valid authentication cookies. | +| 0x80244029 | `WU_E_PT_INVALID_CONFIG_PROP` | A configuration property value was wrong. | +| 0x8024402A | `WU_E_PT_CONFIG_PROP_MISSING` | A configuration property value was missing. | +| 0x8024402B | `WU_E_PT_HTTP_STATUS_NOT_MAPPED` | The HTTP request could not be completed and the reason did not correspond to any of the `WU_E_PT_HTTP_*` error codes. | +| 0x8024402C | `WU_E_PT_WINHTTP_NAME_NOT_RESOLVED` | Same as ERROR_WINHTTP_NAME_NOT_RESOLVED - the proxy server or target server name cannot be resolved. | +| 0x8024402F | `WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS` | External cab file processing completed with some errors. | +| 0x80244030 | `WU_E_PT_ECP_INIT_FAILED` | The external cab processor initialization did not complete. | +| 0x80244031 | `WU_E_PT_ECP_INVALID_FILE_FORMAT` | The format of a metadata file was invalid. | +| 0x80244032 | `WU_E_PT_ECP_INVALID_METADATA` | External cab processor found invalid metadata. | +| 0x80244033 | `WU_E_PT_ECP_FAILURE_TO_EXTRACT_DIGEST` | The file digest could not be extracted from an external cab file. | +| 0x80244034 | `WU_E_PT_ECP_FAILURE_TO_DECOMPRESS_CAB_FILE` | An external cab file could not be decompressed. | +| 0x80244035 | `WU_E_PT_ECP_FILE_LOCATION_ERROR` | External cab processor was unable to get file locations. | +| 0x80244FFF | `WU_E_PT_UNEXPECTED` | A communication error not covered by another `WU_E_PT_*` error code. | +| 0x8024502D | `WU_E_PT_SAME_REDIR_ID` | Windows Update Agent failed to download a redirector cabinet file with a new redirectorId value from the server during the recovery. | +| 0x8024502E | `WU_E_PT_NO_MANAGED_RECOVER` | A redirector recovery action did not complete because the server is managed. | -| Error code | Message | Description | -|-------------|----------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------| -| 0x80246001 | WU_E_DM_URLNOTAVAILABLE | A download manager operation could not be completed because the requested file does not have a URL. | -| 0x80246002 | WU_E_DM_INCORRECTFILEHASH | A download manager operation could not be completed because the file digest was not recognized. | -| 0x80246003 | WU_E_DM_UNKNOWNALGORITHM | A download manager operation could not be completed because the file metadata requested an unrecognized hash algorithm. | -| 0x80246004 | WU_E_DM_NEEDDOWNLOADREQUEST | An operation could not be completed because a download request is required from the download handler. | -| 0x80246005 | WU_E_DM_NONETWORK | A download manager operation could not be completed because the network connection was unavailable. | -| 0x80246006 | WU_E_DM_WRONGBITSVERSION | A download manager operation could not be completed because the version of Background Intelligent Transfer Service (BITS) is incompatible. | -| 0x80246007 | WU_E_DM_NOTDOWNLOADED | The update has not been downloaded. | -| 0x80246008 | WU_E_DM_FAILTOCONNECTTOBITS | A download manager operation failed because the download manager was unable to connect the Background Intelligent Transfer Service (BITS). | -| 0x80246009 | WU_E_DM_BITSTRANSFERERROR | A download manager operation failed because there was an unspecified Background Intelligent Transfer Service (BITS) transfer error. | -| 0x8024600A | WU_E_DM_DOWNLOADLOCATIONCHANGED | A download must be restarted because the location of the source of the download has changed. | -| 0x8024600B | WU_E_DM_CONTENTCHANGED | A download must be restarted because the update content changed in a new revision. | -| 0x80246FFF | WU_E_DM_UNEXPECTED | There was a download manager error not covered by another WU_E_DM_\* error code. | - -## Update Handler errors +## Download Manager errors -| Error code | Message | Description | -|-------------|---------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------| -| 0x80242000 | WU_E_UH_REMOTEUNAVAILABLE | 9 A request for a remote update handler could not be completed because no remote process is available. | -| 0x80242001 | WU_E_UH_LOCALONLY | A request for a remote update handler could not be completed because the handler is local only. | -| 0x80242002 | WU_E_UH_UNKNOWNHANDLER | A request for an update handler could not be completed because the handler could not be recognized. | -| 0x80242003 | WU_E_UH_REMOTEALREADYACTIVE | A remote update handler could not be created because one already exists. | -| 0x80242004 | WU_E_UH_DOESNOTSUPPORTACTION | A request for the handler to install (uninstall) an update could not be completed because the update does not support install (uninstall). | -| 0x80242005 | WU_E_UH_WRONGHANDLER | An operation did not complete because the wrong handler was specified. | -| 0x80242006 | WU_E_UH_INVALIDMETADATA | A handler operation could not be completed because the update contains invalid metadata. | -| 0x80242007 | WU_E_UH_INSTALLERHUNG | An operation could not be completed because the installer exceeded the time limit. | -| 0x80242008 | WU_E_UH_OPERATIONCANCELLED | An operation being done by the update handler was cancelled. | -| 0x80242009 | WU_E_UH_BADHANDLERXML | An operation could not be completed because the handler-specific metadata is invalid. | -| 0x8024200A | WU_E_UH_CANREQUIREINPUT | A request to the handler to install an update could not be completed because the update requires user input. | -| 0x8024200B | WU_E_UH_INSTALLERFAILURE | The installer failed to install (uninstall) one or more updates. | -| 0x8024200C | WU_E_UH_FALLBACKTOSELFCONTAINED | The update handler should download self-contained content rather than delta-compressed content for the update. | -| 0x8024200D | WU_E_UH_NEEDANOTHERDOWNLOAD | The update handler did not install the update because it needs to be downloaded again. | -| 0x8024200E | WU_E_UH_NOTIFYFAILURE | The update handler failed to send notification of the status of the install (uninstall) operation. | -| 0x8024200F | WU_E_UH_INCONSISTENT_FILE_NAMES | The file names contained in the update metadata and in the update package are inconsistent. | -| 0x80242010 | WU_E_UH_FALLBACKERROR | The update handler failed to fall back to the self-contained content. | -| 0x80242011 | WU_E_UH_TOOMANYDOWNLOADREQUESTS | The update handler has exceeded the maximum number of download requests. | -| 0x80242012 | WU_E_UH_UNEXPECTEDCBSRESPONSE | The update handler has received an unexpected response from CBS. | -| 0x80242013 | WU_E_UH_BADCBSPACKAGEID | The update metadata contains an invalid CBS package identifier. | -| 0x80242014 | WU_E_UH_POSTREBOOTSTILLPENDING | The post-reboot operation for the update is still in progress. | -| 0x80242015 | WU_E_UH_POSTREBOOTRESULTUNKNOWN | The result of the post-reboot operation for the update could not be determined. | -| 0x80242016 | WU_E_UH_POSTREBOOTUNEXPECTEDSTATE | The state of the update after its post-reboot operation has completed is unexpected. | -| 0x80242017 | WU_E_UH_NEW_SERVICING_STACK_REQUIRED | The OS servicing stack must be updated before this update is downloaded or installed. | -| 0x80242FFF | WU_E_UH_UNEXPECTED | An update handler error not covered by another WU_E_UH_\* code. | - -## Data Store errors +| Error code | Message | Description | +|------------|-----------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------| +| 0x80246001 | `WU_E_DM_URLNOTAVAILABLE` | A download manager operation could not be completed because the requested file does not have a URL. | +| 0x80246002 | `WU_E_DM_INCORRECTFILEHASH` | A download manager operation could not be completed because the file digest was not recognized. | +| 0x80246003 | `WU_E_DM_UNKNOWNALGORITHM` | A download manager operation could not be completed because the file metadata requested an unrecognized hash algorithm. | +| 0x80246004 | `WU_E_DM_NEEDDOWNLOADREQUEST` | An operation could not be completed because a download request is required from the download handler. | +| 0x80246005 | `WU_E_DM_NONETWORK` | A download manager operation could not be completed because the network connection was unavailable. | +| 0x80246006 | `WU_E_DM_WRONGBITSVERSION` | A download manager operation could not be completed because the version of Background Intelligent Transfer Service (BITS) is incompatible. | +| 0x80246007 | `WU_E_DM_NOTDOWNLOADED` | The update has not been downloaded. | +| 0x80246008 | `WU_E_DM_FAILTOCONNECTTOBITS` | A download manager operation failed because the download manager was unable to connect the Background Intelligent Transfer Service (BITS). | +| 0x80246009 | `WU_E_DM_BITSTRANSFERERROR` | A download manager operation failed because there was an unspecified Background Intelligent Transfer Service (BITS) transfer error. | +| 0x8024600A | `WU_E_DM_DOWNLOADLOCATIONCHANGED` | A download must be restarted because the location of the source of the download has changed. | +| 0x8024600B | `WU_E_DM_CONTENTCHANGED` | A download must be restarted because the update content changed in a new revision. | +| 0x80246FFF | `WU_E_DM_UNEXPECTED` | There was a download manager error not covered by another `WU_E_DM_*` error code. | -| Error code | Message | Description | -|-------------|-------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 0x80248000 | WU_E_DS_SHUTDOWN | An operation failed because Windows Update Agent is shutting down. | -| 0x80248001 | WU_E_DS_INUSE | An operation failed because the data store was in use. | -| 0x80248002 | WU_E_DS_INVALID | The current and expected states of the data store do not match. | -| 0x80248003 | WU_E_DS_TABLEMISSING | The data store is missing a table. | -| 0x80248004 | WU_E_DS_TABLEINCORRECT | The data store contains a table with unexpected columns. | -| 0x80248005 | WU_E_DS_INVALIDTABLENAME | A table could not be opened because the table is not in the data store. | -| 0x80248006 | WU_E_DS_BADVERSION | The current and expected versions of the data store do not match. | -| 0x80248007 | WU_E_DS_NODATA | The information requested is not in the data store. | -| 0x80248008 | WU_E_DS_MISSINGDATA | The data store is missing required information or has a NULL in a table column that requires a non-null value. | -| 0x80248009 | WU_E_DS_MISSINGREF | The data store is missing required information or has a reference to missing license terms file localized property or linked row. | -| 0x8024800A | WU_E_DS_UNKNOWNHANDLER | The update was not processed because its update handler could not be recognized. | -| 0x8024800B | WU_E_DS_CANTDELETE | The update was not deleted because it is still referenced by one or more services. | -| 0x8024800C | WU_E_DS_LOCKTIMEOUTEXPIRED | The data store section could not be locked within the allotted time. | -| 0x8024800D | WU_E_DS_NOCATEGORIES | The category was not added because it contains no parent categories and is not a top-level category itself. | -| 0x8024800E | WU_E_DS_ROWEXISTS | The row was not added because an existing row has the same primary key. | -| 0x8024800F | WU_E_DS_STOREFILELOCKED | The data store could not be initialized because it was locked by another process. | -| 0x80248010 | WU_E_DS_CANNOTREGISTER | The data store is not allowed to be registered with COM in the current process. | -| 0x80248011 | WU_E_DS_UNABLETOSTART | Could not create a data store object in another process. | -| 0x80248013 | WU_E_DS_DUPLICATEUPDATEID | The server sent the same update to the client with two different revision IDs. | -| 0x80248014 | WU_E_DS_UNKNOWNSERVICE | An operation did not complete because the service is not in the data store. | -| 0x80248015 | WU_E_DS_SERVICEEXPIRED | An operation did not complete because the registration of the service has expired. | -| 0x80248016 | WU_E_DS_DECLINENOTALLOWED | A request to hide an update was declined because it is a mandatory update or because it was deployed with a deadline. | -| 0x80248017 | WU_E_DS_TABLESESSIONMISMATCH | A table was not closed because it is not associated with the session. | -| 0x80248018 | WU_E_DS_SESSIONLOCKMISMATCH | A table was not closed because it is not associated with the session. | -| 0x80248019 | WU_E_DS_NEEDWINDOWSSERVICE | A request to remove the Windows Update service or to unregister it with Automatic Updates was declined because it is a built-in service and/or Automatic Updates cannot fall back to another service. | -| 0x8024801A | WU_E_DS_INVALIDOPERATION | A request was declined because the operation is not allowed. | -| 0x8024801B | WU_E_DS_SCHEMAMISMATCH | The schema of the current data store and the schema of a table in a backup XML document do not match. | -| 0x8024801C | WU_E_DS_RESETREQUIRED | The data store requires a session reset; release the session and retry with a new session. | -| 0x8024801D | WU_E_DS_IMPERSONATED | A data store operation did not complete because it was requested with an impersonated identity. | -| 0x80248FFF | WU_E_DS_UNEXPECTED | A data store error not covered by another WU_E_DS_\* code. | - -## Driver Util errors +## Update Handler errors + +| Error code | Message | Description | +|------------|----------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------| +| 0x80242000 | `WU_E_UH_REMOTEUNAVAILABLE` | A request for a remote update handler could not be completed because no remote process is available. | +| 0x80242001 | `WU_E_UH_LOCALONLY` | A request for a remote update handler could not be completed because the handler is local only. | +| 0x80242002 | `WU_E_UH_UNKNOWNHANDLER` | A request for an update handler could not be completed because the handler could not be recognized. | +| 0x80242003 | `WU_E_UH_REMOTEALREADYACTIVE` | A remote update handler could not be created because one already exists. | +| 0x80242004 | `WU_E_UH_DOESNOTSUPPORTACTION` | A request for the handler to install (uninstall) an update could not be completed because the update does not support install (uninstall). | +| 0x80242005 | `WU_E_UH_WRONGHANDLER` | An operation did not complete because the wrong handler was specified. | +| 0x80242006 | `WU_E_UH_INVALIDMETADATA` | A handler operation could not be completed because the update contains invalid metadata. | +| 0x80242007 | `WU_E_UH_INSTALLERHUNG` | An operation could not be completed because the installer exceeded the time limit. | +| 0x80242008 | `WU_E_UH_OPERATIONCANCELLED` | An operation being done by the update handler was canceled. | +| 0x80242009 | `WU_E_UH_BADHANDLERXML` | An operation could not be completed because the handler-specific metadata is invalid. | +| 0x8024200A | `WU_E_UH_CANREQUIREINPUT` | A request to the handler to install an update could not be completed because the update requires user input. | +| 0x8024200B | `WU_E_UH_INSTALLERFAILURE` | The installer failed to install (uninstall) one or more updates. | +| 0x8024200C | `WU_E_UH_FALLBACKTOSELFCONTAINED` | The update handler should download self-contained content rather than delta-compressed content for the update. | +| 0x8024200D | `WU_E_UH_NEEDANOTHERDOWNLOAD` | The update handler did not install the update because it needs to be downloaded again. | +| 0x8024200E | `WU_E_UH_NOTIFYFAILURE` | The update handler failed to send notification of the status of the install (uninstall) operation. | +| 0x8024200F | `WU_E_UH_INCONSISTENT_FILE_NAMES` | The file names contained in the update metadata and in the update package are inconsistent. | +| 0x80242010 | `WU_E_UH_FALLBACKERROR` | The update handler failed to fall back to the self-contained content. | +| 0x80242011 | `WU_E_UH_TOOMANYDOWNLOADREQUESTS` | The update handler has exceeded the maximum number of download requests. | +| 0x80242012 | `WU_E_UH_UNEXPECTEDCBSRESPONSE` | The update handler has received an unexpected response from CBS. | +| 0x80242013 | `WU_E_UH_BADCBSPACKAGEID` | The update metadata contains an invalid CBS package identifier. | +| 0x80242014 | `WU_E_UH_POSTREBOOTSTILLPENDING` | The post-reboot operation for the update is still in progress. | +| 0x80242015 | `WU_E_UH_POSTREBOOTRESULTUNKNOWN` | The result of the post-reboot operation for the update could not be determined. | +| 0x80242016 | `WU_E_UH_POSTREBOOTUNEXPECTEDSTATE` | The state of the update after its post-reboot operation has completed is unexpected. | +| 0x80242017 | `WU_E_UH_NEW_SERVICING_STACK_REQUIRED` | The OS servicing stack must be updated before this update is downloaded or installed. | +| 0x80242FFF | `WU_E_UH_UNEXPECTED` | An update handler error not covered by another `WU_E_UH_*` code. | + +## Data Store errors + +| Error code | Message | Description | +|------------|--------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 0x80248000 | `WU_E_DS_SHUTDOWN` | An operation failed because Windows Update Agent is shutting down. | +| 0x80248001 | `WU_E_DS_INUSE` | An operation failed because the data store was in use. | +| 0x80248002 | `WU_E_DS_INVALID` | The current and expected states of the data store do not match. | +| 0x80248003 | `WU_E_DS_TABLEMISSING` | The data store is missing a table. | +| 0x80248004 | `WU_E_DS_TABLEINCORRECT` | The data store contains a table with unexpected columns. | +| 0x80248005 | `WU_E_DS_INVALIDTABLENAME` | A table could not be opened because the table is not in the data store. | +| 0x80248006 | `WU_E_DS_BADVERSION` | The current and expected versions of the data store do not match. | +| 0x80248007 | `WU_E_DS_NODATA` | The information requested is not in the data store. | +| 0x80248008 | `WU_E_DS_MISSINGDATA` | The data store is missing required information or has a NULL in a table column that requires a non-null value. | +| 0x80248009 | `WU_E_DS_MISSINGREF` | The data store is missing required information or has a reference to missing license terms file localized property or linked row. | +| 0x8024800A | `WU_E_DS_UNKNOWNHANDLER` | The update was not processed because its update handler could not be recognized. | +| 0x8024800B | `WU_E_DS_CANTDELETE` | The update was not deleted because it is still referenced by one or more services. | +| 0x8024800C | `WU_E_DS_LOCKTIMEOUTEXPIRED` | The data store section could not be locked within the allotted time. | +| 0x8024800D | `WU_E_DS_NOCATEGORIES` | The category was not added because it contains no parent categories and is not a top-level category itself. | +| 0x8024800E | `WU_E_DS_ROWEXISTS` | The row was not added because an existing row has the same primary key. | +| 0x8024800F | `WU_E_DS_STOREFILELOCKED` | The data store could not be initialized because it was locked by another process. | +| 0x80248010 | `WU_E_DS_CANNOTREGISTER` | The data store is not allowed to be registered with COM in the current process. | +| 0x80248011 | `WU_E_DS_UNABLETOSTART` | Could not create a data store object in another process. | +| 0x80248013 | `WU_E_DS_DUPLICATEUPDATEID` | The server sent the same update to the client with two different revision IDs. | +| 0x80248014 | `WU_E_DS_UNKNOWNSERVICE` | An operation did not complete because the service is not in the data store. | +| 0x80248015 | `WU_E_DS_SERVICEEXPIRED` | An operation did not complete because the registration of the service has expired. | +| 0x80248016 | `WU_E_DS_DECLINENOTALLOWED` | A request to hide an update was declined because it is a mandatory update or because it was deployed with a deadline. | +| 0x80248017 | `WU_E_DS_TABLESESSIONMISMATCH` | A table was not closed because it is not associated with the session. | +| 0x80248018 | `WU_E_DS_SESSIONLOCKMISMATCH` | A table was not closed because it is not associated with the session. | +| 0x80248019 | `WU_E_DS_NEEDWINDOWSSERVICE` | A request to remove the Windows Update service or to unregister it with Automatic Updates was declined because it is a built-in service and/or Automatic Updates cannot fall back to another service. | +| 0x8024801A | `WU_E_DS_INVALIDOPERATION` | A request was declined because the operation is not allowed. | +| 0x8024801B | `WU_E_DS_SCHEMAMISMATCH` | The schema of the current data store and the schema of a table in a backup XML document do not match. | +| 0x8024801C | `WU_E_DS_RESETREQUIRED` | The data store requires a session reset; release the session and retry with a new session. | +| 0x8024801D | `WU_E_DS_IMPERSONATED` | A data store operation did not complete because it was requested with an impersonated identity. | +| 0x80248FFF | `WU_E_DS_UNEXPECTED` | A data store error not covered by another `WU_E_DS_*` code. | + +## Driver Util errors The PnP enumerated device is removed from the System Spec because one of the hardware IDs or the compatible IDs matches an installed printer driver. This is not a fatal error, and the device is merely skipped. -|Error code|Message|Description -|-|-|-| -| 0x8024C001 | WU_E_DRV_PRUNED| A driver was skipped. -| 0x8024C002 |WU_E_DRV_NOPROP_OR_LEGACY| A property for the driver could not be found. It may not conform with required specifications. -| 0x8024C003 | WU_E_DRV_REG_MISMATCH| The registry type read for the driver does not match the expected type. -| 0x8024C004 | WU_E_DRV_NO_METADATA| The driver update is missing metadata. -| 0x8024C005 | WU_E_DRV_MISSING_ATTRIBUTE| The driver update is missing a required attribute. -| 0x8024C006| WU_E_DRV_SYNC_FAILED| Driver synchronization failed. -| 0x8024C007 | WU_E_DRV_NO_PRINTER_CONTENT| Information required for the synchronization of applicable printers is missing. -| 0x8024CFFF | WU_E_DRV_UNEXPECTED| A driver error not covered by another WU_E_DRV_* code. - -## Windows Update error codes +| Error code | Message | Description | +|------------|-------------------------------|------------------------------------------------------------------------------------------------| +| 0x8024C001 | `WU_E_DRV_PRUNED` | A driver was skipped. | +| 0x8024C002 | `WU_E_DRV_NOPROP_OR_LEGACY` | A property for the driver could not be found. It may not conform with required specifications. | +| 0x8024C003 | `WU_E_DRV_REG_MISMATCH` | The registry type read for the driver does not match the expected type. | +| 0x8024C004 | `WU_E_DRV_NO_METADATA` | The driver update is missing metadata. | +| 0x8024C005 | `WU_E_DRV_MISSING_ATTRIBUTE` | The driver update is missing a required attribute. | +| 0x8024C006 | `WU_E_DRV_SYNC_FAILED` | Driver synchronization failed. | +| 0x8024C007 | `WU_E_DRV_NO_PRINTER_CONTENT` | Information required for the synchronization of applicable printers is missing. | +| 0x8024CFFF | `WU_E_DRV_UNEXPECTED` | A driver error not covered by another `WU_E_DRV_*` code. | -|Error code|Message|Description -|-|-|-| -| 0x80240001 | WU_E_NO_SERVICE| Windows Update Agent was unable to provide the service. -| 0x80240002 | WU_E_MAX_CAPACITY_REACHED | The maximum capacity of the service was exceeded. -| 0x80240003 | WU_E_UNKNOWN_ID| An ID cannot be found. -| 0x80240004 | WU_E_NOT_INITIALIZED| The object could not be initialized. -| 0x80240005 | WU_E_RANGEOVERLAP |The update handler requested a byte range overlapping a previously requested range. -| 0x80240006 | WU_E_TOOMANYRANGES| The requested number of byte ranges exceeds the maximum number (2^31 - 1). -| 0x80240007 | WU_E_INVALIDINDEX| The index to a collection was invalid. -| 0x80240008 | WU_E_ITEMNOTFOUND| The key for the item queried could not be found. -| 0x80240009 | WU_E_OPERATIONINPROGRESS| Another conflicting operation was in progress. Some operations such as installation cannot be performed twice simultaneously. -| 0x8024000A | WU_E_COULDNOTCANCEL| Cancellation of the operation was not allowed. -| 0x8024000B | WU_E_CALL_CANCELLED| Operation was cancelled. -| 0x8024000C | WU_E_NOOP| No operation was required. -| 0x8024000D | WU_E_XML_MISSINGDATA| Windows Update Agent could not find required information in the update's XML data. -| 0x8024000E | WU_E_XML_INVALID| Windows Update Agent found invalid information in the update's XML data. -| 0x8024000F | WU_E_CYCLE_DETECTED | Circular update relationships were detected in the metadata. -| 0x80240010 | WU_E_TOO_DEEP_RELATION| Update relationships too deep to evaluate were evaluated. -| 0x80240011 | WU_E_INVALID_RELATIONSHIP| An invalid update relationship was detected. -| 0x80240012 | WU_E_REG_VALUE_INVALID| An invalid registry value was read. -| 0x80240013 | WU_E_DUPLICATE_ITEM| Operation tried to add a duplicate item to a list. -| 0x80240016 | WU_E_INSTALL_NOT_ALLOWED| Operation tried to install while another installation was in progress or the system was pending a mandatory restart. -| 0x80240017 | WU_E_NOT_APPLICABLE| Operation was not performed because there are no applicable updates. -| 0x80240018 | WU_E_NO_USERTOKEN| Operation failed because a required user token is missing. -| 0x80240019 | WU_E_EXCLUSIVE_INSTALL_CONFLICT| An exclusive update cannot be installed with other updates at the same time. -| 0x8024001A | WU_E_POLICY_NOT_SET | A policy value was not set. -| 0x8024001B | WU_E_SELFUPDATE_IN_PROGRESS| The operation could not be performed because the Windows Update Agent is self-updating. -| 0x8024001D | WU_E_INVALID_UPDATE| An update contains invalid metadata. -| 0x8024001E | WU_E_SERVICE_STOP| Operation did not complete because the service or system was being shut down. -| 0x8024001F | WU_E_NO_CONNECTION| Operation did not complete because the network connection was unavailable. -| 0x80240020 | WU_E_NO_INTERACTIVE_USER| Operation did not complete because there is no logged-on interactive user. -| 0x80240021 | WU_E_TIME_OUT| Operation did not complete because it timed out. -| 0x80240022 | WU_E_ALL_UPDATES_FAILED| Operation failed for all the updates. -| 0x80240023 | WU_E_EULAS_DECLINED| The license terms for all updates were declined. -| 0x80240024 | WU_E_NO_UPDATE| There are no updates. -| 0x80240025 | WU_E_USER_ACCESS_DISABLED| Group Policy settings prevented access to Windows Update. -| 0x80240026 | WU_E_INVALID_UPDATE_TYPE| The type of update is invalid. -| 0x80240027 | WU_E_URL_TOO_LONG| The URL exceeded the maximum length. -| 0x80240028 | WU_E_UNINSTALL_NOT_ALLOWED| The update could not be uninstalled because the request did not originate from a WSUS server. -| 0x80240029 | WU_E_INVALID_PRODUCT_LICENSE| Search may have missed some updates before there is an unlicensed application on the system. -| 0x8024002A | WU_E_MISSING_HANDLER| A component required to detect applicable updates was missing. -| 0x8024002B | WU_E_LEGACYSERVER| An operation did not complete because it requires a newer version of server. -| 0x8024002C | WU_E_BIN_SOURCE_ABSENT| A delta-compressed update could not be installed because it required the source. -| 0x8024002D | WU_E_SOURCE_ABSENT| A full-file update could not be installed because it required the source. -| 0x8024002E | WU_E_WU_DISABLED| Access to an unmanaged server is not allowed. -| 0x8024002F | WU_E_CALL_CANCELLED_BY_POLICY| Operation did not complete because the DisableWindowsUpdateAccess policy was set. -| 0x80240030 | WU_E_INVALID_PROXY_SERVER| The format of the proxy list was invalid. -| 0x80240031 | WU_E_INVALID_FILE| The file is in the wrong format. -| 0x80240032 | WU_E_INVALID_CRITERIA| The search criteria string was invalid. -| 0x80240033 | WU_E_EULA_UNAVAILABLE| License terms could not be downloaded. -| 0x80240034 | WU_E_DOWNLOAD_FAILED| Update failed to download. -| 0x80240035 | WU_E_UPDATE_NOT_PROCESSED| The update was not processed. -| 0x80240036 | WU_E_INVALID_OPERATION| The object's current state did not allow the operation. -| 0x80240037 | WU_E_NOT_SUPPORTED| The functionality for the operation is not supported. -| 0x80240038 | WU_E_WINHTTP_INVALID_FILE| The downloaded file has an unexpected content type. -| 0x80240039 | WU_E_TOO_MANY_RESYNC| Agent is asked by server to resync too many times. -| 0x80240040 | WU_E_NO_SERVER_CORE_SUPPORT| WUA API method does not run on Server Core installation. -| 0x80240041 | WU_E_SYSPREP_IN_PROGRESS| Service is not available while sysprep is running. -| 0x80240042 | WU_E_UNKNOWN_SERVICE| The update service is no longer registered with AU. -| 0x80240043 | WU_E_NO_UI_SUPPORT| There is no support for WUA UI. -| 0x80240FFF | WU_E_UNEXPECTED| An operation failed due to reasons not covered by another error code. - -## Windows Update success codes +## Windows Update error codes -|Error code|Message|Description -|-|-|-| -| 0x00240001| WU_S_SERVICE_STOP| Windows Update Agent was stopped successfully. -| 0x00240002 | WU_S_SELFUPDATE| Windows Update Agent updated itself. -| 0x00240003 | WU_S_UPDATE_ERROR| Operation completed successfully but there were errors applying the updates. -| 0x00240004 | WU_S_MARKED_FOR_DISCONNECT| A callback was marked to be disconnected later because the request to disconnect the operation came while a callback was executing. -| 0x00240005 | WU_S_REBOOT_REQUIRED| The system must be restarted to complete installation of the update. -| 0x00240006 | WU_S_ALREADY_INSTALLED| The update to be installed is already installed on the system. -| 0x00240007 | WU_S_ALREADY_UNINSTALLED | The update to be removed is not installed on the system. -| 0x00240008 | WU_S_ALREADY_DOWNLOADED| The update to be downloaded has already been downloaded. - -## Windows Installer minor errors +| Error code | Message | Description | +|------------|-----------------------------------|--------------------------------------------------------------| +| 0x80240001 | `WU_E_NO_SERVICE` | Windows Update Agent was unable to provide the service. +| 0x80240002 | `WU_E_MAX_CAPACITY_REACHED` | The maximum capacity of the service was exceeded. +| 0x80240003 | `WU_E_UNKNOWN_ID` | An ID cannot be found. +| 0x80240004 | `WU_E_NOT_INITIALIZED` | The object could not be initialized. +| 0x80240005 | `WU_E_RANGEOVERLAP` | The update handler requested a byte range overlapping a previously requested range. +| 0x80240006 | `WU_E_TOOMANYRANGES` | The requested number of byte ranges exceeds the maximum number (2^31 - 1). +| 0x80240007 | `WU_E_INVALIDINDEX` | The index to a collection was invalid. +| 0x80240008 | `WU_E_ITEMNOTFOUND` | The key for the item queried could not be found. +| 0x80240009 | `WU_E_OPERATIONINPROGRESS` | Another conflicting operation was in progress. Some operations such as installation cannot be performed twice simultaneously. +| 0x8024000A | `WU_E_COULDNOTCANCEL` | Cancellation of the operation was not allowed. +| 0x8024000B | `WU_E_CALL_CANCELLED` | Operation was canceled. +| 0x8024000C | `WU_E_NOOP` | No operation was required. +| 0x8024000D | `WU_E_XML_MISSINGDATA` | Windows Update Agent could not find required information in the update's XML data. +| 0x8024000E | `WU_E_XML_INVALID` | Windows Update Agent found invalid information in the update's XML data. +| 0x8024000F | `WU_E_CYCLE_DETECTED` | Circular update relationships were detected in the metadata. +| 0x80240010 | `WU_E_TOO_DEEP_RELATION` | Update relationships too deep to evaluate were evaluated. +| 0x80240011 | `WU_E_INVALID_RELATIONSHIP` | An invalid update relationship was detected. +| 0x80240012 | `WU_E_REG_VALUE_INVALID` | An invalid registry value was read. +| 0x80240013 | `WU_E_DUPLICATE_ITEM` | Operation tried to add a duplicate item to a list. +| 0x80240016 | `WU_E_INSTALL_NOT_ALLOWED` | Operation tried to install while another installation was in progress or the system was pending a mandatory restart. +| 0x80240017 | `WU_E_NOT_APPLICABLE` | Operation was not performed because there are no applicable updates. +| 0x80240018 | `WU_E_NO_USERTOKEN` | Operation failed because a required user token is missing. +| 0x80240019 | `WU_E_EXCLUSIVE_INSTALL_CONFLICT` | An exclusive update cannot be installed with other updates at the same time. +| 0x8024001A | `WU_E_POLICY_NOT_SET` | A policy value was not set. +| 0x8024001B | `WU_E_SELFUPDATE_IN_PROGRESS` | The operation could not be performed because the Windows Update Agent is self-updating. +| 0x8024001D | `WU_E_INVALID_UPDATE` | An update contains invalid metadata. +| 0x8024001E | `WU_E_SERVICE_STOP` | Operation did not complete because the service or system was being shut down. +| 0x8024001F | `WU_E_NO_CONNECTION` | Operation did not complete because the network connection was unavailable. +| 0x80240020 | `WU_E_NO_INTERACTIVE_USER` | Operation did not complete because there is no logged-on interactive user. +| 0x80240021 | `WU_E_TIME_OUT` | Operation did not complete because it timed out. +| 0x80240022 | `WU_E_ALL_UPDATES_FAILED` | Operation failed for all the updates. +| 0x80240023 | `WU_E_EULAS_DECLINED` | The license terms for all updates were declined. +| 0x80240024 | `WU_E_NO_UPDATE` | There are no updates. +| 0x80240025 | `WU_E_USER_ACCESS_DISABLED` | Group Policy settings prevented access to Windows Update. +| 0x80240026 | `WU_E_INVALID_UPDATE_TYPE` | The type of update is invalid. +| 0x80240027 | `WU_E_URL_TOO_LONG` | The URL exceeded the maximum length. +| 0x80240028 | `WU_E_UNINSTALL_NOT_ALLOWED` | The update could not be uninstalled because the request did not originate from a WSUS server. +| 0x80240029 | `WU_E_INVALID_PRODUCT_LICENSE` | Search may have missed some updates before there is an unlicensed application on the system. +| 0x8024002A | `WU_E_MISSING_HANDLER` | A component required to detect applicable updates was missing. +| 0x8024002B | `WU_E_LEGACYSERVER` | An operation did not complete because it requires a newer version of server. +| 0x8024002C | `WU_E_BIN_SOURCE_ABSENT` | A delta-compressed update could not be installed because it required the source. +| 0x8024002D | `WU_E_SOURCE_ABSENT` | A full-file update could not be installed because it required the source. +| 0x8024002E | `WU_E_WU_DISABLED` | Access to an unmanaged server is not allowed. +| 0x8024002F | `WU_E_CALL_CANCELLED_BY_POLICY` | Operation did not complete because the DisableWindowsUpdateAccess policy was set. +| 0x80240030 | `WU_E_INVALID_PROXY_SERVER` | The format of the proxy list was invalid. +| 0x80240031 | `WU_E_INVALID_FILE` | The file is in the wrong format. +| 0x80240032 | `WU_E_INVALID_CRITERIA` | The search criteria string was invalid. +| 0x80240033 | `WU_E_EULA_UNAVAILABLE` | License terms could not be downloaded. +| 0x80240034 | `WU_E_DOWNLOAD_FAILED` | Update failed to download. +| 0x80240035 | `WU_E_UPDATE_NOT_PROCESSED` | The update was not processed. +| 0x80240036 | `WU_E_INVALID_OPERATION` | The object's current state did not allow the operation. +| 0x80240037 | `WU_E_NOT_SUPPORTED` | The functionality for the operation is not supported. +| 0x80240038 | `WU_E_WINHTTP_INVALID_FILE` | The downloaded file has an unexpected content type. +| 0x80240039 | `WU_E_TOO_MANY_RESYNC` | Agent is asked by server to resync too many times. +| 0x80240040 | `WU_E_NO_SERVER_CORE_SUPPORT` | `WUA API` method does not run on Server Core installation. +| 0x80240041 | `WU_E_SYSPREP_IN_PROGRESS` | Service is not available while sysprep is running. +| 0x80240042 | `WU_E_UNKNOWN_SERVICE` | The update service is no longer registered with `AU`. +| 0x80240043 | `WU_E_NO_UI_SUPPORT` | There is no support for `WUA UI`. +| 0x80240FFF | `WU_E_UNEXPECTED` | An operation failed due to reasons not covered by another error code. + +## Windows Update success codes + +| Error code | Message | Description | +|------------|------------------------------|-------------------------------------------------------------------------------------------------------------------------------------| +| 0x00240001 | `WU_S_SERVICE_STOP` | Windows Update Agent was stopped successfully. | +| 0x00240002 | `WU_S_SELFUPDATE` | Windows Update Agent updated itself. | +| 0x00240003 | `WU_S_UPDATE_ERROR` | Operation completed successfully but there were errors applying the updates. | +| 0x00240004 | `WU_S_MARKED_FOR_DISCONNECT` | A callback was marked to be disconnected later because the request to disconnect the operation came while a callback was executing. | +| 0x00240005 | `WU_S_REBOOT_REQUIRED` | The system must be restarted to complete installation of the update. | +| 0x00240006 | `WU_S_ALREADY_INSTALLED` | The update to be installed is already installed on the system. | +| 0x00240007 | `WU_S_ALREADY_UNINSTALLED` | The update to be removed is not installed on the system. | +| 0x00240008 | `WU_S_ALREADY_DOWNLOADED` | The update to be downloaded has already been downloaded. | + +## Windows Installer minor errors The following errors are used to indicate that part of a search fails because of Windows Installer problems. Another part of the search may successfully return updates. All Windows Installer minor codes must share the same error code range so that the caller can tell that they are related to Windows Installer. -|Error code|Message|Description -|-|-|-| -| 0x80241001 |WU_E_MSI_WRONG_VERSION| Search may have missed some updates because the Windows Installer is less than version 3.1. -| 0x80241002 | WU_E_MSI_NOT_CONFIGURED| Search may have missed some updates because the Windows Installer is not configured. -| 0x80241003 | WU_E_MSP_DISABLED| Search may have missed some updates because policy has disabled Windows Installer patching. -| 0x80241004 | WU_E_MSI_WRONG_APP_CONTEXT| An update could not be applied because the application is installed per-user. -| 0x80241FFF | WU_E_MSP_UNEXPECTED| Search may have missed some updates because there was a failure of the Windows Installer. +| Error code | Message | Description | +|------------|------------------------------|---------------------------------------------------------------------------------------------| +| 0x80241001 | `WU_E_MSI_WRONG_VERSION` | Search may have missed some updates because the Windows Installer is less than version 3.1. | +| 0x80241002 | `WU_E_MSI_NOT_CONFIGURED` | Search may have missed some updates because the Windows Installer is not configured. | +| 0x80241003 | `WU_E_MSP_DISABLED` | Search may have missed some updates because policy has disabled Windows Installer patching. | +| 0x80241004 | `WU_E_MSI_WRONG_APP_CONTEXT` | An update could not be applied because the application is installed per-user. | +| 0x80241FFF | `WU_E_MSP_UNEXPECTED` | Search may have missed some updates because there was a failure of the Windows Installer. | -## Windows Update Agent update and setup errors +## Windows Update Agent update and setup errors -|Error code|Message|Description -|-|-|-| -| 0x8024D001 | WU_E_SETUP_INVALID_INFDATA| Windows Update Agent could not be updated because an INF file contains invalid information. -| 0x8024D002 | WU_E_SETUP_INVALID_IDENTDATA| Windows Update Agent could not be updated because the wuident.cab file contains invalid information. -| 0x8024D003 | WU_E_SETUP_ALREADY_INITIALIZED| Windows Update Agent could not be updated because of an internal error that caused setup initialization to be performed twice. -| 0x8024D004 | WU_E_SETUP_NOT_INITIALIZED| Windows Update Agent could not be updated because setup initialization never completed successfully. -| 0x8024D005 | WU_E_SETUP_SOURCE_VERSION_MISMATCH| Windows Update Agent could not be updated because the versions specified in the INF do not match the actual source file versions. -| 0x8024D006 | WU_E_SETUP_TARGET_VERSION_GREATER| Windows Update Agent could not be updated because a WUA file on the target system is newer than the corresponding source file. -| 0x8024D007 | WU_E_SETUP_REGISTRATION_FAILED| Windows Update Agent could not be updated because regsvr32.exe returned an error. -| 0x8024D009 | WU_E_SETUP_SKIP_UPDATE| An update to the Windows Update Agent was skipped due to a directive in the wuident.cab file. -| 0x8024D00A | WU_E_SETUP_UNSUPPORTED_CONFIGURATION| Windows Update Agent could not be updated because the current system configuration is not supported. -| 0x8024D00B | WU_E_SETUP_BLOCKED_CONFIGURATION| Windows Update Agent could not be updated because the system is configured to block the update. -| 0x8024D00C | WU_E_SETUP_REBOOT_TO_FIX| Windows Update Agent could not be updated because a restart of the system is required. -| 0x8024D00D | WU_E_SETUP_ALREADYRUNNING| Windows Update Agent setup is already running. -| 0x8024D00E | WU_E_SETUP_REBOOTREQUIRED| Windows Update Agent setup package requires a reboot to complete installation. -| 0x8024D00F | WU_E_SETUP_HANDLER_EXEC_FAILURE| Windows Update Agent could not be updated because the setup handler failed during execution. -| 0x8024D010 | WU_E_SETUP_INVALID_REGISTRY_DATA| Windows Update Agent could not be updated because the registry contains invalid information. -| 0x8024D013 | WU_E_SETUP_WRONG_SERVER_VERSION| Windows Update Agent could not be updated because the server does not contain update information for this version. -| 0x8024DFFF | WU_E_SETUP_UNEXPECTED| Windows Update Agent could not be updated because of an error not covered by another WU_E_SETUP_* error code. +| Error code | Message | Description | +|------------|----------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------| +| 0x8024D001 | `WU_E_SETUP_INVALID_INFDATA` | Windows Update Agent could not be updated because an INF file contains invalid information. | +| 0x8024D002 | `WU_E_SETUP_INVALID_IDENTDATA` | Windows Update Agent could not be updated because the `wuident.cab` file contains invalid information. | +| 0x8024D003 | `WU_E_SETUP_ALREADY_INITIALIZED` | Windows Update Agent could not be updated because of an internal error that caused setup initialization to be performed twice. | +| 0x8024D004 | `WU_E_SETUP_NOT_INITIALIZED` | Windows Update Agent could not be updated because setup initialization never completed successfully. | +| 0x8024D005 | `WU_E_SETUP_SOURCE_VERSION_MISMATCH` | Windows Update Agent could not be updated because the versions specified in the INF do not match the actual source file versions. | +| 0x8024D006 | `WU_E_SETUP_TARGET_VERSION_GREATER` | Windows Update Agent could not be updated because a WUA file on the target system is newer than the corresponding source file. | +| 0x8024D007 | `WU_E_SETUP_REGISTRATION_FAILED` | Windows Update Agent could not be updated because `regsvr32.exe` returned an error. | +| 0x8024D009 | `WU_E_SETUP_SKIP_UPDATE` | An update to the Windows Update Agent was skipped due to a directive in the `wuident.cab` file. | +| 0x8024D00A | `WU_E_SETUP_UNSUPPORTED_CONFIGURATION` | Windows Update Agent could not be updated because the current system configuration is not supported. | +| 0x8024D00B | `WU_E_SETUP_BLOCKED_CONFIGURATION` | Windows Update Agent could not be updated because the system is configured to block the update. | +| 0x8024D00C | `WU_E_SETUP_REBOOT_TO_FIX` | Windows Update Agent could not be updated because a restart of the system is required. | +| 0x8024D00D | `WU_E_SETUP_ALREADYRUNNING` | Windows Update Agent setup is already running. | +| 0x8024D00E | `WU_E_SETUP_REBOOTREQUIRED` | Windows Update Agent setup package requires a reboot to complete installation. | +| 0x8024D00F | `WU_E_SETUP_HANDLER_EXEC_FAILURE` | Windows Update Agent could not be updated because the setup handler failed during execution. | +| 0x8024D010 | `WU_E_SETUP_INVALID_REGISTRY_DATA` | Windows Update Agent could not be updated because the registry contains invalid information. | +| 0x8024D013 | `WU_E_SETUP_WRONG_SERVER_VERSION` | Windows Update Agent could not be updated because the server does not contain update information for this version. | +| 0x8024DFFF | `WU_E_SETUP_UNEXPECTED` | Windows Update Agent could not be updated because of an error not covered by another `WU_E_SETUP_*` error code. | diff --git a/windows/deployment/update/windows-update-troubleshooting.md b/windows/deployment/update/windows-update-troubleshooting.md index a1784e6a6e..7fd5fb5a6e 100644 --- a/windows/deployment/update/windows-update-troubleshooting.md +++ b/windows/deployment/update/windows-update-troubleshooting.md @@ -48,7 +48,7 @@ The update that is offered to a device depends on several factors. Some of the m If the update you're offered isn't the most current available, it might be because your device is being managed by a WSUS server, and you're being offered the updates available on that server. It's also possible, if your device is part of a Windows as a Service deployment ring, that your admin is intentionally slowing the rollout of updates. Since the WaaS rollout is slow and measured to begin with, all devices will not receive the update on the same day. -## My machine is frozen at scan. Why? +## My device is frozen at scan. Why? The Settings UI is talking to the Update Orchestrator service which in turn is talking to Windows Update service. If these services stop unexpectedly then you might see this behavior. In such cases, do the following: 1. Close the Settings app and reopen it. 2. Launch Services.msc and check if the following services are running: @@ -145,7 +145,23 @@ Go to Services.msc and ensure that Windows Firewall Service is enabled. Stopping Windows Update provides a wide range configuration policies to control the behavior of WU service in a managed environment. While these policies let you configure the settings at a granular level, misconfiguration or setting conflicting polices may lead to unexpected behaviors. See [How to configure automatic updates by using Group Policy or registry settings](https://support.microsoft.com/help/328010/how-to-configure-automatic-updates-by-using-group-policy-or-registry-s) for more information. + +## Device cannot access update files +Check that your device can access these Windows Update endpoints: + +- http://windowsupdate.microsoft.com +- http://*.windowsupdate.microsoft.com +- https://*.windowsupdate.microsoft.com +- http://*.update.microsoft.com +- https://*.update.microsoft.com +- http://*.windowsupdate.com +- http://download.windowsupdate.com +- https://download.microsoft.com +- http://*.download.windowsupdate.com +- http://wustat.windows.com +- http://ntservicepack.microsoft.com + Whitelist these endpoints for future use. ## Updates aren't downloading from the intranet endpoint (WSUS/SCCM) Windows 10 devices can receive updates from a variety of sources, including Windows Update online, a Windows Server Update Services server, and others. To determine the source of Windows Updates currently being used on a device, follow these steps: diff --git a/windows/deployment/upgrade/resolution-procedures.md b/windows/deployment/upgrade/resolution-procedures.md index 15c4156866..64f031f72e 100644 --- a/windows/deployment/upgrade/resolution-procedures.md +++ b/windows/deployment/upgrade/resolution-procedures.md @@ -9,7 +9,8 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy -audience: itpro author: greg-lindsay +audience: itpro +author: greg-lindsay ms.localizationpriority: medium ms.topic: article --- @@ -294,7 +295,7 @@ This error has more than one possible cause. Attempt [quick fixes](quick-fixes.m-0x8007002 - 0x20009
+0x80070002 - 0x20009
0x80073B92 - 0x20009 @@ -593,7 +594,7 @@ Download and run the media creation tool. See hotfix 3095113, WSUS doesn't recognize the Upgrades classification and instead treats the upgrade like a regular update.
- Disable the Upgrades classification. @@ -602,7 +603,7 @@ Download and run the media creation tool. See How to delete upgrades in WSUS. +
For detailed information on how to run these steps check out How to delete upgrades in WSUS.
andWindows Server 2012 or later Network Device Enrollment Service (Azure AD joined) | N/A | Windows Server 2012 or later Network Device Enrollment Service | -| Azure MFA tenant, orAD FS w/Azure MFA adapter, orAD FS w/Azure MFA Server adapter, orAD FS w/3rd Party MFA Adapter| Azure MFA tenant, orAD FS w/Azure MFA adapter, orAD FS w/Azure MFA Server adapter, orAD FS w/3rd Party MFA Adapter | Azure MFA tenant, orAD FS w/Azure MFA adapter, orAD FS w/Azure MFA Server adapter, orAD FS w/3rd Party MFA Adapter | Azure MFA tenant, orAD FS w/Azure MFA adapter, orAD FS w/Azure MFA Server adapter, orAD FS w/3rd Party MFA Adapter | +| Azure MFA tenant, orAD FS w/Azure MFA adapter, orAD FS w/3rd Party MFA Adapter| Azure MFA tenant, orAD FS w/Azure MFA adapter, orAD FS w/3rd Party MFA Adapter | Azure MFA tenant, orAD FS w/Azure MFA adapter, orAD FS w/3rd Party MFA Adapter | Azure MFA tenant, orAD FS w/Azure MFA adapter, orAD FS w/3rd Party MFA Adapter | | Azure Account | Azure Account | Azure Account | Azure Account | | Azure Active Directory | Azure Active Directory | Azure Active Directory | Azure Active Directory | | Azure AD Connect | Azure AD Connect | Azure AD Connect | Azure AD Connect | | Azure AD Premium, optional | Azure AD Premium, needed for device write-back | Azure AD Premium, optional for automatic MDM enrollment | Azure AD Premium, optional for automatic MDM enrollment | -### On-premises Deployments +### On-premises Deployments + The table shows the minimum requirements for each deployment. | Key trust Group Policy managed | Certificate trust Group Policy managed| -| --- | --- | +| --- | --- | | Windows 10, version 1703 or later | Windows 10, version 1703 or later | | Windows Server 2016 Schema | Windows Server 2016 Schema| | Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level | | Windows Server 2016 or later Domain Controllers | Windows Server 2008 R2 or later Domain Controllers | | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | | Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/help/4088889) | Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/help/4088889) | -| AD FS with Azure MFA Server, orAD FS with 3rd Party MFA Adapter | AD FS with Azure MFA Server, orAD FS with 3rd Party MFA Adapter | +| AD FS with 3rd Party MFA Adapter | AD FS with 3rd Party MFA Adapter | | Azure Account, optional for Azure MFA billing | Azure Account, optional for Azure MFA billing | >[!IMPORTANT] -> For Windows Hello for Business deployment, if you have several domains, at least one Windows Server Domain Controller 2016 is required for each domain. For more information, see the [planning guide](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers). +> For Windows Hello for Business key trust deployments, if you have several domains, at least one Windows Server Domain Controller 2016 or newer is required for each domain. For more information, see the [planning guide](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers). diff --git a/windows/security/identity-protection/smart-cards/smart-card-events.md b/windows/security/identity-protection/smart-cards/smart-card-events.md index 830bfcfcfc..702f62e6d4 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-events.md +++ b/windows/security/identity-protection/smart-cards/smart-card-events.md @@ -97,14 +97,14 @@ The smart card reader device name is constructed in the form <*VendorName*> | 607 | Reader object failed to start monitor thread: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code | | 608 | Reader monitor failed to create power down timer: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code | | 609 | Reader monitor failed to create overlapped event: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code | -| 610 | Smart Card Reader '%2' rejected IOCTL %3: %1 If this error persists, your smart card or reader may not be functioning correctly.%n%nCommand Header: %4 | The reader cannot successfully transmit the indicated IOCTL to the smart card. This can indicate hardware failure, but this error can also occur if a smart card or smart card reader is removed from the system while an operation is in progress.
%1 = Windows error code
%2 = Name of the smart card reader
%3 = IOCTL that was sent
%4 = First 4 bytes of the command sent to the smart card | +| 610 | Smart Card Reader '%2' rejected IOCTL %3: %1 If this error persists, your smart card or reader may not be functioning correctly.%n%nCommand Header: %4 | The reader cannot successfully transmit the indicated IOCTL to the smart card. This is a benign error that does not affect end use of a smart card and can be ignored.
%1 = Windows error code
%2 = Name of the smart card reader
%3 = IOCTL that was sent
%4 = First 4 bytes of the command sent to the smart card | | 611 | Smart Card Reader initialization failed | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve this issue. | | 612 | Reader insertion monitor error retry threshold reached: %1 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it is not recognized by the service until it is removed from the computer and reinserted or until the computer is restarted.
%1 = Windows error code | | 615 | Reader removal monitor error retry threshold reached: %1 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it is not recognized by the service until it is removed from the computer and reinserted or until the computer is restarted.
%1 = Windows error code | | 616 | Reader monitor '%2' received uncaught error code: %1 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it is not recognized by the service until it is removed from the computer and reinserted or until the computer is restarted.
%1 = Windows error code
%2 = Reader name | | 617 | Reader monitor '%1' exception -- exiting thread | An unknown error occurred while monitoring a smart card reader for smart card insertions and removals. The smart card reader is marked as defective, and it is not recognized by the service until it is removed from the computer and reinserted or until the computer is restarted.
%1 = Smart card reader name | | 618 | Smart Card Resource Manager encountered an unrecoverable internal error. | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. | -| 621 | Server Control failed to access start event: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code | +| 621 | Server Control failed to access start event: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. This error may also occur if the event is queried before the smart card service is ready. In this case the error is benign and can be ignored.
%1 = Windows error code | | 622 | Server Control failed to access stop event: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code | ## Smart card Plug and Play events diff --git a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md index f6d1a67328..bf7360d125 100644 --- a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md +++ b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md @@ -49,6 +49,9 @@ The recovery process included in this topic only works for desktop devices. WIP 4. Add your EFS DRA certificate to your WIP policy using a deployment tool, such as [Microsoft Intune](create-wip-policy-using-intune-azure.md) or [System Center Configuration Manager](create-wip-policy-using-sccm.md). +> [!NOTE] +> This certificate can be used in Intune for policies both _with_ device enrollment (MDM) and _without_ device enrollment (MAM). + ## Verify your data recovery certificate is correctly set up on a WIP client computer 1. Find or create a file that's encrypted using Windows Information Protection. For example, you could open an app on your allowed app list, and then create and save a file so it’s encrypted by WIP. diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index f8776c4535..099acd1d5f 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -9,7 +9,7 @@ #### [Exposure score](microsoft-defender-atp/tvm-exposure-score.md) #### [Configuration score](microsoft-defender-atp/configuration-score.md) #### [Security recommendation](microsoft-defender-atp/tvm-security-recommendation.md) -#### [Remediation](microsoft-defender-atp/tvm-remediation.md) +#### [Remediation and exception](microsoft-defender-atp/tvm-remediation.md) #### [Software inventory](microsoft-defender-atp/tvm-software-inventory.md) #### [Weaknesses](microsoft-defender-atp/tvm-weaknesses.md) #### [Scenarios](microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md) @@ -122,10 +122,13 @@ ##### [NetworkCommunicationEvents](microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md) ##### [ProcessCreationEvents](microsoft-defender-atp/advanced-hunting-processcreationevents-table.md) ##### [RegistryEvents](microsoft-defender-atp/advanced-hunting-registryevents-table.md) +##### [DeviceTvmSoftwareInventoryVulnerabilities](microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md) +##### [DeviceTvmSoftwareVulnerabilitiesKB](microsoft-defender-atp/advanced-hunting-tvm-softwarevulnerability-table.md) +##### [DeviceTvmSecureConfigurationAssessment](microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md) +##### [DeviceTvmSecureConfigurationAssessmentKB](microsoft-defender-atp/advanced-hunting-tvm-secureconfigkb-table.md) #### [Apply query best practices](microsoft-defender-atp/advanced-hunting-best-practices.md) #### [Stream Advanced hunting events to Azure Event Hubs](microsoft-defender-atp/raw-data-export-event-hub.md) - #### [Custom detections]() ##### [Understand custom detection rules](microsoft-defender-atp/overview-custom-detections.md) ##### [Create and manage custom detections rules](microsoft-defender-atp/custom-detection-rules.md) @@ -317,8 +320,12 @@ ##### [Manual deployment](windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md) #### [Update Microsoft Defender ATP for Mac](windows-defender-antivirus/microsoft-defender-atp-mac-updates.md) #### [Configure Microsoft Defender ATP for Mac]() +##### [Configure and validate exclusions](windows-defender-antivirus/microsoft-defender-atp-mac-exclusions.md) ##### [Set preferences for Microsoft Defender ATP for Mac](windows-defender-antivirus/microsoft-defender-atp-mac-preferences.md) ##### [Detect and block Potentially Unwanted Applications](windows-defender-antivirus/microsoft-defender-atp-mac-pua.md) +#### [Troubleshoot Microsoft Defender ATP for Mac]() +##### [Troubleshoot performance issues](windows-defender-antivirus/microsoft-defender-atp-mac-support-perf.md) +##### [Troubleshoot kernel extension issues](windows-defender-antivirus/microsoft-defender-atp-mac-support-kext.md) #### [Privacy for Microsoft Defender ATP for Mac](windows-defender-antivirus/microsoft-defender-atp-mac-privacy.md) #### [Resources for Microsoft Defender ATP for Mac](windows-defender-antivirus/microsoft-defender-atp-mac-resources.md) diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md index 663976a44a..bbba6bbb82 100644 --- a/windows/security/threat-protection/index.md +++ b/windows/security/threat-protection/index.md @@ -1,7 +1,7 @@ --- title: Threat Protection (Windows 10) description: Learn how Microsoft Defender ATP helps protect against threats. -keywords: threat protection, Microsoft Defender Advanced Threat Protection, attack surface reduction, next generation protection, endpoint detection and response, automated investigation and response, microsoft threat experts, secure score, advanced hunting, cyber threat hunting +keywords: threat protection, Microsoft Defender Advanced Threat Protection, attack surface reduction, next generation protection, endpoint detection and response, automated investigation and response, microsoft threat experts, secure score, advanced hunting, cyber threat hunting, web threat protection search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -64,7 +64,7 @@ The attack surface reduction set of capabilities provide the first line of defen - [Application control](windows-defender-application-control/windows-defender-application-control.md) - [Device control](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md) - [Exploit protection](microsoft-defender-atp/exploit-protection.md) -- [Network protection](microsoft-defender-atp/network-protection.md), [Web protection](microsoft-defender-atp/web-protection-overview.md) +- [Network protection](microsoft-defender-atp/network-protection.md), [web protection](microsoft-defender-atp/web-protection-overview.md) - [Controlled folder access](microsoft-defender-atp/controlled-folders.md) - [Network firewall](windows-firewall/windows-firewall-with-advanced-security.md) - [Attack surface reduction rules](microsoft-defender-atp/attack-surface-reduction.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md index e269b25de8..c0b6610350 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md @@ -25,6 +25,8 @@ ms.date: 10/08/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) +[!include[Prerelease information](prerelease.md)] + The [Advanced hunting](advanced-hunting-overview.md) schema is made up of multiple tables that provide either event information or information about machines and other entities. To effectively build queries that span multiple tables, you need to understand the tables and the columns in the Advanced hunting schema. ## Schema tables @@ -45,7 +47,11 @@ Table and column names are also listed within the Microsoft Defender Security Ce | **[LogonEvents](advanced-hunting-logonevents-table.md)** | Sign-ins and other authentication events | | **[ImageLoadEvents](advanced-hunting-imageloadevents-table.md)** | DLL loading events | | **[MiscEvents](advanced-hunting-miscevents-table.md)** | Multiple event types, including events triggered by security controls such as Windows Defender Antivirus and exploit protection | +| **[DeviceTvmSoftwareInventoryVulnerabilities](advanced-hunting-tvm-softwareinventory-table.md)** | Vulnerabilities in your software inventory | +| **[DeviceTvmSoftwareVulnerabilitiesKB ](advanced-hunting-tvm-softwarevulnerability-table.md)** | Publicly-available vulnerabilities and whether they exist in your software inventory | +| **[DeviceTvmSecureConfigurationAssessment](advanced-hunting-tvm-configassessment-table.md)** | Security configuration assessment information | +| **[DeviceTvmSecureConfigurationAssessmentKB](advanced-hunting-tvm-secureconfigkb-table.md)** | Basis of security configuration assessment such as security industry standards and benchmarks | ## Related topics - [Advanced hunting overview](advanced-hunting-overview.md) -- [Learn the query language](advanced-hunting-query-language.md) \ No newline at end of file +- [Learn the query language](advanced-hunting-query-language.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md new file mode 100644 index 0000000000..35d38020d6 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md @@ -0,0 +1,53 @@ +--- +title: DeviceTvmSecureConfigurationAssessment table in the Advanced hunting schema +description: Learn about the DeviceTvmSecureConfigurationAssessment table in the Advanced hunting schema, such as machine ID, computer name, operating system platform, security configuration details, impact, and compliance information. +keywords: advanced hunting, atp query, device management, query atp data, query tvm data, query security configuration, intellisense, atp telemetry, events, events telemetry, azure log analytics, description, DeviceTvmSecureConfigurationAssessment +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dolmont +author: DulceMontemayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 10/27/2019 +--- + +# DeviceTvmSecureConfigurationAssessment + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) + +[!include[Prerelease information](prerelease.md)] + +Each row in the DeviceTvmSecureConfigurationAssessment table contains an assessment event for a specific security configuration. Use this reference to check the latest assessment results and determine whether device are compliant. + +For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md). + +| Column name | Data type | Description | +|-------------|-----------|-------------| +| MachineId | string | Unique identifier for the machine in the service | +| ComputerName | string | Fully qualified domain name (FQDN) of the machine | +| OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7.| +| Timestamp | datetime |Date and time when the record was generated| +| ConfigurationId | string | Unique identifier for a specific configuration | +| ConfigurationCategory | string | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls| +| ConfigurationSubcategory | string |Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features. | +| ConfigurationImpact | string | Rated impact of the configuration to the overall configuration score (1-10) | +| IsCompliant | boolean | Indicates whether the configuration or policy is properly configured | + + +## Related topics + +- [Advanced hunting overview](overview-hunting.md) +- [All Advanced hunting tables](advanced-hunting-reference.md) +- [Advanced hunting query best practices](advanced-hunting-best-practices.md) +- [Query data using Advanced hunting](advanced-hunting.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-secureconfigkb-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-secureconfigkb-table.md new file mode 100644 index 0000000000..857a5731c6 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-secureconfigkb-table.md @@ -0,0 +1,53 @@ +--- +title: DeviceTvmSecureConfigurationAssessmentKB table in the Advanced hunting schema +description: Learn about the DeviceTvmSecureConfigurationAssessmentKB table in the Advanced hunting schema, security configuration details, and the associated industry benchmarks that it adheres to. +keywords: advanced hunting, atp query, device management, query atp data, query tvm data, query security configuration, intellisense, atp telemetry, events, events telemetry, azure log analytics, description, MITRE ATT&CK framework, DeviceTvmSecureConfigurationAssessmentKB +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dolmont +author: DulceMontemayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 10/27/2019 +--- + +# DeviceTvmSecureConfigurationAssessmentKB + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) + +[!include[Prerelease information](prerelease.md)] + +The DeviceTvmSecureConfigurationAssessmentKB table in the Advanced hunting schema contains information about the various secure configuration TVM checks during assessments related to your organization. An example of a security configuration is to block JavaScript or VBScript from launching downloaded executable content to prevent accidentally downloading malicious files in your network. Use this reference to construct queries that return information from the table. + +For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md). + +| Column name | Data type | Description | +|-------------|-----------|-------------| +| ConfigurationId | string | Unique identifier for a specific configuration | +| ConfigurationImpact | string | Rated impact of the configuration to the overall configuration score (1-10) | +| ConfigurationName | string | Display name of the configuration | +| ConfigurationDescription | string | Description of the configuration | +| RiskDescription | string | Description of the associated risk | +| ConfigurationCategory | string | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls| +| ConfigurationSubcategory | string |Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features. | +| ConfigurationBenchmarks | string | List of industry benchmarks recommending the same or similar configuration | +| RelatedMitreTechniques | string | List of Mitre ATT&CK framework techniques related to the configuration | +| RelatedMitreTactics | string | List of Mitre ATT&CK framework tactics related to the configuration| + +## Related topics + +- [Advanced hunting overview](overview-hunting.md) +- [All Advanced hunting tables](advanced-hunting-reference.md) +- [Advanced hunting query best practices](advanced-hunting-best-practices.md) +- [Query data using Advanced hunting](advanced-hunting.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md new file mode 100644 index 0000000000..fcf0c2e4bd --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md @@ -0,0 +1,56 @@ +--- +title: DeviceTvmSoftwareInventoryVulnerabilities table in the Advanced hunting schema +description: Learn about the DeviceTvmSoftwareInventoryVulnerabilities table in the Advanced hunting schema, such as operating system platform, version, and architecture, software vendor, name, and version, CVE ID, vulnerability severity, and descriptions +keywords: advanced hunting, atp query, device management, query atp data, query tvm data, query software inventory, query software vulnerability inventory, intellisense, atp telemetry, events, events telemetry, azure log analytics, description, DeviceTvmSoftwareInventoryVulnerabilities +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dolmont +author: DulceMontemayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 10/27/2019 +--- + +# DeviceTvmSoftwareInventoryVulnerabilities + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) + + +[!include[Prerelease information](prerelease.md)] + +The DeviceTvmSoftwareInventoryVulnerabilities table in the Advanced hunting schema contains an inventory of the software on your devices as well as any known vulnerabilities in the software products. Use this reference to construct queries that return information from the table. + +For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md). + +| Column name | Data type | Description | +|-------------|-----------|-------------| +| MachineId | string | Unique identifier for the machine in the service | +| ComputerName | string | Fully qualified domain name (FQDN) of the machine | +| OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7.| +| OSVersion | string | Version of the operating system running on the machine | +| OSArchitecture | string | Architecture of the operating system running on the machine| +| SoftwareVendor | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape| +| SoftwareName | string | Name of the software product| +|SoftwareVersion | string | Version number of the software product| +| CveId | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system| +| VulnerabilitySeverityLevel | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape| + + + +## Related topics + +- [Advanced hunting overview](overview-hunting.md) +- [All Advanced hunting tables](advanced-hunting-reference.md) +- [Advanced hunting query best practices](advanced-hunting-best-practices.md) +- [Query data using Advanced hunting](advanced-hunting.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwarevulnerability-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwarevulnerability-table.md new file mode 100644 index 0000000000..757ad9858c --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwarevulnerability-table.md @@ -0,0 +1,51 @@ +--- +title: DeviceTvmSoftwareVulnerabilitiesKB table in the Advanced hunting schema +description: Learn about the DeviceTvmSoftwareVulnerabilitiesKB table in the Advanced hunting schema, such as CVE ID, CVSS score, exploit availability, vulnerability severity, last modified time, date the vulnerability was disclosed to public, and affected software in your network. +keywords: advanced hunting, atp query, device management, query atp data, query tvm data, query software vulnerability inventory, intellisense, atp telemetry, events, events telemetry, azure log analytics, description, DeviceTvmSoftwareVulnerabilitiesKB +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dolmont +author: DulceMontemayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 10/27/2019 +--- + +# DeviceTvmSoftwareVulnerabilitiesKB + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) + +[!include[Prerelease information](prerelease.md)] + +The DeviceTvmSoftwareInventoryVulnerabilities table in the Advanced hunting schema contains information about the vulnerabilities Threat & Vulnerability Management assesses devices for. Use this reference along with DeviceTvmSoftwareInventoryVulnerabilities to construct queries that return information on the metadata related to the vulnerabilities in your inventory. + +For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md). + +| Column name | Data type | Description | +|-------------|-----------|-------------| +| CveId | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system| +| CvssScore | string | Severity score assigned to the security vulnerability under th Common Vulnerability Scoring System (CVSS)| +| IsExploitAvailable | boolean | Indicates whether exploit code for the vulnerability is publicly available| +| VulnerabilitySeverityLevel | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape| +| LastModifiedTime | datetime | Date and time the item or related metadata was last modified| +| PublishedDate | datetime | Date vulnerability was disclosed to public| +| VulnerabilityDescription | string | Description of vulnerability and associated risks| +| AffectedSoftware | string | List of all software products affected by the vulnerability| + +## Related topics + +- [Advanced hunting overview](overview-hunting.md) +- [All Advanced hunting tables](advanced-hunting-reference.md) +- [Advanced hunting query best practices](advanced-hunting-best-practices.md) +- [Query data using Advanced hunting](advanced-hunting.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md b/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md index 4eafbbefa8..6a076bfb65 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md @@ -60,7 +60,7 @@ See how you can [improve your security configuration](https://docs.microsoft.com >- RS3 customers | [KB 4516071](https://support.microsoft.com/help/4516071/windows-10-update-kb4516071) > >To download the security updates: ->1. Go to [Microsoft Update Catalog](http://www.catalog.update.microsoft.com/home.aspx). +>1. Go to [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/home.aspx). >2. Key-in the security update KB number that you need to download, then click **Search**. ## Related topics @@ -68,7 +68,7 @@ See how you can [improve your security configuration](https://docs.microsoft.com - [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md) - [Exposure score](tvm-exposure-score.md) - [Security recommendations](tvm-security-recommendation.md) -- [Remediation](tvm-remediation.md) +- [Remediation and exception](tvm-remediation.md) - [Software inventory](tvm-software-inventory.md) - [Weaknesses](tvm-weaknesses.md) - [Scenarios](threat-and-vuln-mgt-scenarios.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md index d0dfe6add3..2373d0cf56 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md @@ -33,10 +33,10 @@ The topics in this section describe how to configure attack surface reduction. E Topic | Description -|- -[Enable hardware-based isolation for Microsoft Edge](../windows-defender-application-guard/install-wd-app-guard.md) | How to preprare for and install Application Guard, including hardware and softeware requirements -[Enable application control](../windows-defender-application-control/windows-defender-application-control.md)|How to control applications run by users and potect kernel mode processes +[Enable hardware-based isolation for Microsoft Edge](../windows-defender-application-guard/install-wd-app-guard.md) | How to prepare for and install Application Guard, including hardware and software requirements +[Enable application control](../windows-defender-application-control/windows-defender-application-control.md)|How to control applications run by users and protect kernel mode processes [Exploit protection](./enable-exploit-protection.md)|How to automatically apply exploit mitigation techniques on both operating system processes and on individual apps -[Network protection](./enable-network-protection.md)|How to prevent users from using any apps to acces dangerous domains +[Network protection](./enable-network-protection.md)|How to prevent users from using any apps to access dangerous domains [Controlled folder access](./enable-controlled-folders.md)|How to protect valuable data from malicious apps -[Attack surface reduction](./enable-attack-surface-reduction.md)|How to prevent actions and apps that are typically used for by exploit-seeking malware +[Attack surface reduction](./enable-attack-surface-reduction.md)|How to prevent actions and apps that are typically used by exploit-seeking malware [Network firewall](../windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md)|How to protect devices and data across a network diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md index 8c0c0aa43c..95e0136a97 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md @@ -141,7 +141,7 @@ Verify the proxy configuration completed successfully, that WinHTTP can discover 1. Download the [connectivity verification tool](https://aka.ms/mdatpanalyzer) to the PC where Microsoft Defender ATP sensor is running on. -2. Extract the contents of WDATPConnectivityAnalyzer on the machine. +2. Extract the contents of MDATPClientAnalyzer on the machine. 3. Open an elevated command-line: @@ -152,19 +152,19 @@ Verify the proxy configuration completed successfully, that WinHTTP can discover 4. Enter the following command and press **Enter**: ```PowerShell - HardDrivePath\WDATPConnectivityAnalyzer.cmd + HardDrivePath\MDATPClientAnalyzer.cmd ``` - Replace *HardDrivePath* with the path where the WDATPConnectivityAnalyzer tool was downloaded to, for example + Replace *HardDrivePath* with the path where the MDATPClientAnalyzer tool was downloaded to, for example ```PowerShell - C:\Work\tools\WDATPConnectivityAnalyzer\WDATPConnectivityAnalyzer.cmd + C:\Work\tools\MDATPClientAnalyzer\MDATPClientAnalyzer.cmd ``` -5. Extract the *WDATPConnectivityAnalyzerResult.zip* file created by tool in the folder used in the *HardDrivePath*. +5. Extract the *MDATPClientAnalyzerResult.zip* file created by tool in the folder used in the *HardDrivePath*. -6. Open *WDATPConnectivityAnalyzer.txt* and verify that you have performed the proxy configuration steps to enable server discovery and access to the service URLs.
- The tool checks the connectivity of Microsoft Defender ATP service URLs that Microsoft Defender ATP client is configured to interact with. It then prints the results into the *WDATPConnectivityAnalyzer.txt* file for each URL that can potentially be used to communicate with the Microsoft Defender ATP services. For example: +6. Open *MDATPClientAnalyzerResult.txt* and verify that you have performed the proxy configuration steps to enable server discovery and access to the service URLs.
+ The tool checks the connectivity of Microsoft Defender ATP service URLs that Microsoft Defender ATP client is configured to interact with. It then prints the results into the *MDATPClientAnalyzerResult.txt* file for each URL that can potentially be used to communicate with the Microsoft Defender ATP services. For example: ```text Testing URL : https://xxx.microsoft.com/xxx diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-cancellation.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-cancellation.png new file mode 100644 index 0000000000..27b00fdd87 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-cancellation.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-confirmation.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-confirmation.png new file mode 100644 index 0000000000..d0eb92e377 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-confirmation.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-dashboard.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-dashboard.png new file mode 100644 index 0000000000..3f8ead879c Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-dashboard.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-details.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-details.png new file mode 100644 index 0000000000..9acba5c77f Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-details.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-dropdown.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-dropdown.png new file mode 100644 index 0000000000..31d16836b0 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-dropdown.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-filters.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-filters.png new file mode 100644 index 0000000000..6cafba6c3d Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-filters.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-flyout.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-flyout.png new file mode 100644 index 0000000000..e01d9f53a5 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-flyout.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-impact.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-impact.png new file mode 100644 index 0000000000..072835588a Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-impact.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-list.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-list.png new file mode 100644 index 0000000000..dbd99451af Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-list.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-option.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-option.png new file mode 100644 index 0000000000..98d59f5c07 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-option.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-granular-exploit.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-granular-exploit.png new file mode 100644 index 0000000000..00d29b4a0c Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-granular-exploit.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-threat-insights.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-threat-insights.png index a40e39c3d0..2f9717883f 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-threat-insights.png and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-threat-insights.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-weaknesses-page.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-weaknesses-page.png new file mode 100644 index 0000000000..36ca63f7bf Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-weaknesses-page.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_alert_icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_alert_icon.png index ebd390bd98..863c7e4fbe 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_alert_icon.png and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_alert_icon.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_bug_icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_bug_icon.png index b87ba02a90..e81d73f631 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_bug_icon.png and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_bug_icon.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md index 57782a8e2b..e9723fa61e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md +++ b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md @@ -37,7 +37,7 @@ Microsoft Defender Advanced Threat Protection requires one of the following Micr - Windows 10 Enterprise E5 - Windows 10 Education E5 - Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5 -- Microsoft 365 E3 (M365 E3) with Identity and Threat Protection package + For more information on the array of features in Windows 10 editions, see [Compare Windows 10 editions](https://www.microsoft.com/windowsforbusiness/compare). diff --git a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md index 3a670e00a5..eecae45f38 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md +++ b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md @@ -62,7 +62,7 @@ Microsoft Defender ATP’s Threat & Vulnerability Management allows security adm - [Exposure score](tvm-exposure-score.md) - [Configuration score](configuration-score.md) - [Security recommendations](tvm-security-recommendation.md) -- [Remediation](tvm-remediation.md) +- [Remediation and exception](tvm-remediation.md) - [Software inventory](tvm-software-inventory.md) - [Weaknesses](tvm-weaknesses.md) - [Scenarios](threat-and-vuln-mgt-scenarios.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/preview.md b/windows/security/threat-protection/microsoft-defender-atp/preview.md index 5fe5221463..c9129e6196 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/preview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/preview.md @@ -44,7 +44,13 @@ The following features are included in the preview release: - [Microsoft Defender ATP for Mac](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac)
Microsoft Defender ATP for Mac brings the next-generation protection, and endpoint detection and response coverage to Mac devices. Core components of the unified endpoint security platform will now be available for Mac devices. -- [Threat & Vulnerability Management Report inaccuracy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy)
You can report a false positive when you see any vague, inaccurate, incomplete, or already remediated [security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy), [software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory#report-inaccuracy), and [discovered vulnerabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses#report-inaccuracy). +- [Threat & Vulnerability Management Report inaccuracy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy)
You can report a false positive when you see any vague, inaccurate, incomplete, or already remediated [security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy), [software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory#report-inaccuracy), and [discovered vulnerabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses#report-inaccuracy). + +- [Threat & Vulnerability Management Advanced Hunting Schemas](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table)
You can now use the Threat & Vulnerability Management tables in the Advanced hunting schema to query about software inventory, vulnerability knowledgebase, security configuration assessment, and security configuration knowledgebase. + + - [Threat & Vulnerability Management role-based access controls](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
You can now use the new permissions to allow maximum flexibility to create SecOps-oriented roles, Threat & Vulnerability Management-oriented roles, or hybrid roles so only authorized users are accessing specific data to do their task. You can also achieve even further granularity by specifying whether a Threat & Vulnerability Management role can only view vulnerability-related data, or can create and manage remediation and exceptions. + +- [Threat & Vulnerability Management granular exploit details](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)
You can now see a comprehensive set of details on the vulnerabilities found in your machine to give you informed decision on your next steps. The threat insights icon now shows more granular details, such as if the exploit is a part of an exploit kit, connected to specific advanced persistent campaigns or activity groups for which, Threat Analytics report links are provided that you can read, has associated zero-day exploitation news, disclosures, or related security advisories. - [Machine health and compliance report](machine-reports.md) The machine health and compliance report provides high-level information about the devices in your organization. diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md index f7512247e0..df00947476 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md @@ -143,12 +143,40 @@ When an exception is created for a recommendation, the recommendation is no long 2. Click the top-most recommendation. A flyout panel opens with the recommendation details. 3. Click **Exception options**. + 4. Select your justification for the exception you need to file instead of remediating the security recommendation in question. Fill out the justification context, then set the exception duration. +>  + 5. Click **Submit**. A confirmation message at the top of the page indicates that the exception has been created. + 6. Navigate to the **Remediation** page under the **Threat & Vulnerability Management** menu and click the **Exceptions** tab to view all your exceptions (current and past). + + +## Use Advanced hunting query to search for machines with High active alerts or critical CVE public exploit + +1. Go to **Advanced hunting** from the left-hand navigation pane. + +2. Scroll down to the TVM advanced hunting schemas to familiarize yourself with the column names. + +3. Enter the following queries: + +``` +// Search for machines with High active alerts or Critical CVE public exploit +DeviceTvmSoftwareInventoryVulnerabilities +| join kind=inner(DeviceTvmSoftwareVulnerabilitiesKB) on CveId +| where IsExploitAvailable == 1 and CvssScore >= 7 +| summarize NumOfVulnerabilities=dcount(CveId), +ComputerName=any(ComputerName) by MachineId +| join kind =inner(AlertEvents) on MachineId +| summarize NumOfVulnerabilities=any(NumOfVulnerabilities), +ComputerName=any(ComputerName) by MachineId, AlertId +| project ComputerName, NumOfVulnerabilities, AlertId +| order by NumOfVulnerabilities desc + +``` ## Related topics - [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) @@ -156,6 +184,8 @@ When an exception is created for a recommendation, the recommendation is no long - [Exposure score](tvm-exposure-score.md) - [Configuration score](configuration-score.md) - [Security recommendations](tvm-security-recommendation.md) -- [Remediation](tvm-remediation.md) +- [Remediation and exception](tvm-remediation.md) - [Software inventory](tvm-software-inventory.md) - [Weaknesses](tvm-weaknesses.md) +- [Advanced hunting overview](overview-hunting.md) +- [All Advanced hunting tables](advanced-hunting-reference.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md index 1704845ac8..668b2a1cb4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md @@ -53,7 +53,7 @@ Area | Description (2) Threat & Vulnerability Management navigation pane | Use the navigation pane to move across the **Threat and Vulnerability Management Dashboard**, **Security recommendations**, **Remediation**, **Software inventory**, and **Weaknesses**. **Dashboards** | Get a high-level view of the organization exposure score, organization configuration score, machine exposure distribution, top security recommendations, top vulnerable software, top remediation activities, and top exposed machines data. **Security recommendations** | See the list of security recommendations, their related components, insights, number or exposed devices, impact, and request for remediation. You can click each item on the list, a flyout panel opens with vulnerability details, open the software page, see the remediation, and exception options. You can also open a ticket in Intune if your machines are joined through Azure Active Directory and you have enabled your Intune connections in Microsoft Defender ATP. See [Security recommendations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation) for more information. -**Remediation** | See the remediation activity, related component, remediation type, status, due date, option to export the remediation and process data to CSV, and active exceptions. See [Remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation) for more information. +**Remediation** | See the remediation activity, related component, remediation type, status, due date, option to export the remediation and process data to CSV, and active exceptions. See [Remediation and exception](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation) for more information. **Software inventory** | See the list of applications, versions, weaknesses, whether there’s an exploit found on the application, prevalence in the organization, how many were installed, how many exposed devices are there, and the numerical value of the impact. You can select each item in the list and opt to open the software page which shows the associated vulnerabilities, misconfigurations, affected machine, version distribution details, and missing KBs or security updates. See [Software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory) for more information. **Weaknesses** | See the list of common vulnerabilities and exposures, the severity, its common vulnerability scoring system (CVSS) V3 score, related software, age, when it was published, related threat alerts, and how many exposed machines are there. You can select each item in the list and it opens a flyout panel with the vulnerability description and other details. See [Weaknesses](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses) for more information. (3) Threat & Vulnerability Management dashboard | Access the **Exposure score**, **Configuration score**, **Exposure distribution**, **Top security recommendations**, **Top vulnerable software**, **Top remediation activities**, and **Top exposed machines**. @@ -73,7 +73,7 @@ See [Microsoft Defender ATP icons](https://docs.microsoft.com/windows/security/t - [Exposure score](tvm-exposure-score.md) - [Configuration score](configuration-score.md) - [Security recommendations](tvm-security-recommendation.md) -- [Remediation](tvm-remediation.md) +- [Remediation and exception](tvm-remediation.md) - [Software inventory](tvm-software-inventory.md) - [Weaknesses](tvm-weaknesses.md) - [Scenarios](threat-and-vuln-mgt-scenarios.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md index 8eebb66298..fca24b4b1f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md @@ -42,7 +42,7 @@ Reduce the exposure score by addressing what needs to be remediated based on the - [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md) - [Configuration score](configuration-score.md) - [Security recommendations](tvm-security-recommendation.md) -- [Remediation](tvm-remediation.md) +- [Remediation and exception](tvm-remediation.md) - [Software inventory](tvm-software-inventory.md) - [Weaknesses](tvm-weaknesses.md) - [Scenarios](threat-and-vuln-mgt-scenarios.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md index 674d4b0309..99b1ae6759 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md @@ -1,6 +1,6 @@ --- -title: Remediation -description: You can lower down your organization's exposure from vulnerabilities and increase your security configuration by remediating the security recommendations. Threat & Vulnerability Management bridges the gap between security administration and IT administration during remediation process. It does so by creating a security task or ticket through integration with Microsoft Intune and Microsoft System Center Configuration Manager (SCCM). +title: Remediation and exception +description: You can lower down your organization's exposure from vulnerabilities and increase your security configuration by remediating the security recommendations or filing exceptions provided there are compensation controls. Threat & Vulnerability Management bridges the gap between security administration and IT administration during remediation process. It does so by creating a security task or ticket through integration with Microsoft Intune and Microsoft System Center Configuration Manager (SCCM). keywords: microsoft defender atp tvm remediation, mdatp tvm, threat & vulnerability management, threat & vulnerability management remediation, tvm remediation intune, tvm remediation sccm search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -17,7 +17,7 @@ ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/11/2019 --- -# Remediation +# Remediation and exception **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) @@ -47,11 +47,62 @@ When you submit a remediation request from Threat & Vulnerability Management, it It creates a security task which will be tracked in Threat & Vulnerability Management **Remediation** page, and it also creates a remediation ticket in Microsoft Intune. -You also have the option to export all remediation activity data to CSV for records, reporting purposes, or if you want to notify your IT administration counterpart that a remediation ticket has been submitted. The dashboard will show that status of your top remediation activities. Click any of the entries and it will take you to the **Remediation** page. You can mark the remediation activity as completed after the IT administration team remediates the task. -However, if the security recommendation stemmed from a false positive report, or if there are existing business justification that blocks the remediation, such as compensating control, productivity needs, compliance, or if there's already a planned remediation grace period, you can file an exception and indicate the reason. The exceptions you've filed will also show up in the **Remediation** page, in the **Exceptions** tab. +## When to file for exception instead of remediating issues +You can file exceptions to exclude certain recommendation from showing up in reports and affecting risk scores or secure scores. + +When you select a security recommendation, it opens up a flyout screen with details and options for your next step. You can either **Open software page**, choose from **Remediation options**, go through **Exception options** to file for exceptions, or **Report inaccuracy**. + +Select **Exception options** and a flyout screen opens. + + + +### Exception justification +If the security recommendation stemmed from a false positive report, or if there are existing business justification that blocks the remediation, such as compensating control, productivity needs, compliance, or if there's already a planned remediation grace period, you can file an exception and indicate the reason. The following list details the justifications behind the exception options: + +- **Compensating/alternate control** - A 3rd party control that mitigates this recommendation exists, for example, if Network Firewall - - prevents access to a machine, third party antivirus +- **Productivity/business need** - Remediation will impact productivity or interrupt business-critical workflow +- **Accept risk** - Poses low risk and/or implementing a compensating control is too expensive +- **Planned remediation (grace)** - Already planned but is awaiting execution or authorization +- **Other** - False positive + + +  + +### Exception visibility +The exceptions you've filed will show up in the **Remediation** page, in the **Exceptions** tab. +However, you also have the option to filter your view based on exception justification, type, and status. + + + +Aside from that, there's also an option to **Show exceptions** at the bottom of the **Top security recommendations** card in the dashboard. + + + +Clicking the link opens up to the **Security recommendations** page, where you can select the item exempted item with details. + + + +### Actions on exceptions +- Cancel - You can cancel the exceptions you've filed any time +- Resurface - Your exception automatically becomes void and resurfaces in the security recommendation list when dynamic environmental factors change, which adversely affect the exposure impact associated with a recommendation that had previously been excluded + +### Exception status +- **Canceled** - The exception has been canceled and is no longer in effect +- **Expired** - The exception that you've filed is no longer in effect +- **In effect** - The exception that you've filed is in progress + +### Exception impact on scores +Creating an exception can potentially affect the Exposure Score (for both types of weaknesses) and Secure Score (for configurations) of your organization in the following manner: +- **No impact** - Removes the recommendation from the lists (which can be reverse through filters), but will not affect the scores +- **Mitigation-like impact** - As if the recommendation was mitigated (and scores will be adjusted accordingly) when you select it as a compensating control. +- **Hybrid** - Provides visibility on both No impact and Mitigation-like impact. It shows both the Exposure Score and Secure Score results out of the exception option that you made + +The exception impact shows on both the Security recommendations page column and in the flyout pane. + + ## Related topics - [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md index cb1913abcb..ee75d061da 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md @@ -79,14 +79,12 @@ You can report a false positive when you see any vague, inaccurate, incomplete, 6. Click **Submit**. Your feedback is immediately sent to the Threat & Vulnerability Management experts with its context. - - ## Related topics - [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) - [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md) - [Exposure score](tvm-exposure-score.md) - [Configuration score](configuration-score.md) -- [Remediation](tvm-remediation.md) +- [Remediation and exception](tvm-remediation.md) - [Software inventory](tvm-software-inventory.md) - [Weaknesses](tvm-weaknesses.md) - [Scenarios](threat-and-vuln-mgt-scenarios.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md index a7ff6812ce..e1d39cdf5d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md @@ -63,6 +63,6 @@ You can report a false positive when you see any vague, inaccurate version, inco - [Exposure score](tvm-exposure-score.md) - [Configuration score](configuration-score.md) - [Security recommendation](tvm-security-recommendation.md) -- [Remediation](tvm-remediation.md) +- [Remediation and exception](tvm-remediation.md) - [Weaknesses](tvm-weaknesses.md) - [Scenarios](threat-and-vuln-mgt-scenarios.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md index e2615c2319..7eefec6595 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md @@ -15,25 +15,32 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/11/2019 +ms.date: 10/31/2019 --- # Weaknesses **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559 + +[!include[Prerelease information](prerelease.md)] Threat & Vulnerability Management leverages the same signals in Microsoft Defender ATP's endpoint protection to scan and detect vulnerabilities. The **Weaknesses** page lists down the vulnerabilities found in the infected software running in your organization, their severity, Common Vulnerability Scoring System (CVSS) rating, its prevalence in your organization, corresponding breach, and threat insights. >[!IMPORTANT] ->To boost your vulnerability assessment detection rates, download the following mandatory security updates and deploy them in your network: +>To boost your vulnerability assessment detection rates, you can download the following mandatory security updates and deploy them in your network: >- 19H1 customers | [KB 4512941](https://support.microsoft.com/help/4512941/windows-10-update-kb4512941) >- RS5 customers | [KB 4516077](https://support.microsoft.com/help/4516077/windows-10-update-kb4516077) >- RS4 customers | [KB 4516045](https://support.microsoft.com/help/4516045/windows-10-update-kb4516045) >- RS3 customers | [KB 4516071](https://support.microsoft.com/help/4516071/windows-10-update-kb4516071) +>
Downloading the above-mentioned security updates will be mandatory starting Patch Tuesday, October 8, 2019.
## Navigate through your organization's weaknesses page
-You can see the list of vulnerabilities in four ways:
+You can access the list of vulnerabilities in a few places in the portal:
+- Global search
+- Weaknesses option in the navigation menu
+- Top vulnerable software widget in the dashboard
+- Discovered vulnerabilities page in the machine page
*Vulnerabilities in global search*
1. Click the global search drop-down menu.
@@ -46,12 +53,13 @@ You can see the list of vulnerabilities in four ways:
*Weaknesses page in the menu*
1. Go to the Threat & Vulnerability Management navigation menu and select **Weaknesses** to open up the list of vulnerabilities found in your organization.
-2. Select the vulnerability that you want to investigate to open up a flyout panel with the vulnerability details, such as: CVE description, CVE ID, exploits available, CVSS V3 rating, severity, publish, and update dates.
+2. Select the vulnerability that you want to investigate to open up a flyout panel with the vulnerability details, such as: CVE description, CVE ID, exploits available, CVSS V3 rating, severity, dates when it was published and updated, related software, exploit kits available, vulnerability type, link to useful reference, and number of exposed machines which users can also export.
+
*Top vulnerable software widget in the dashboard*
1. Go to the Threat & Vulnerability Management dashboard and scroll down to the **Top vulnerable software** widget. You will see the number of vulnerabilities found in each software along with threat information and a high-level view of the device exposure trend over time.
-2. Click the software that you want to investigate and it takes you to the software page. You will the weaknesses found in your machine per severity level, in which machines are they installed, version distribution, and the corresponding security recommendation.
+2. Click the software that you want to investigate and it takes you to the software page. You will see the weaknesses found in your machine per severity level, in which machines are they installed, version distribution, and the corresponding security recommendation.
3. Select the **Discovered vulnerabilities** tab.
4. Select the vulnerability that you want to investigate to open up a flyout panel with the vulnerability details, such as: CVE description, CVE ID, exploits available, CVSS V3 rating, severity, publish, and update dates.
@@ -68,22 +76,25 @@ You can see the list of vulnerabilities in four ways:
5. Select the vulnerability that you want to investigate to open up a flyout panel with the vulnerability details, such as: CVE description, CVE ID, exploits available, CVSS V3 rating, severity, publish, and update dates.
## How it works
-When new vulnerabilities are released, you would want know how many of your assets are exposed. You can see the list of vulnerabilities and the details in the **Weaknesses** page.
+When new vulnerabilities are released, you would want to know how many of your assets are exposed. You can see the list of vulnerabilities and the details in the **Weaknesses** page.
-If the **Exposed Machines** column shows 0, that means you are not infected.
+If the **Exposed Machines** column shows 0, that means you are not at risk.
-If there's a number in the **Exposed Machines**, that means you need to remediate the vulnerabilities in those machines because they put the rest of your assets and your organization at risk.
+If exposed machines exist, that means you need to remediate the vulnerabilities in those machines because they put the rest of your assets and your organization at risk.
You can also see the related alert and threat insights in the **Threat** column.
-The breach insights icons are highlighted if there are active alerts associated with the vulnerability found in your organization.
+The breach insights icon is highlighted if there is a vulnerability found in your organization. Prioritize an investigation because it means there might be a breach in your organization.
+
-The threat insights icons are highlighted if there are associated exploits in the vulnerability found in your organization. It also shows whether the threat is connected to specific campaign for which, Threat Analytics report links are provided that you can read.
+The threat insights icons are highlighted if there are associated exploits in the vulnerability found in your organization. It also shows whether the threat is a part of an exploit kit, connected to specific advanced persistent campaigns or activity groups for which, Threat Analytics report links are provided that you can read, has zero-day exploitation news, disclosures, or related security advisories.
+
+
>[!NOTE]
- > Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the threat insight  icon and possible active alert  icon.
+ > Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the threat insight  icon and breach insight  icon.
## Report inaccuracy
@@ -115,6 +126,6 @@ You can report a false positive when you see any vague, inaccurate, missing, or
- [Exposure score](tvm-exposure-score.md)
- [Configuration score](configuration-score.md)
- [Security recommendation](tvm-security-recommendation.md)
-- [Remediation](tvm-remediation.md)
+- [Remediation and exception](tvm-remediation.md)
- [Software inventory](tvm-software-inventory.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/user-roles.md b/windows/security/threat-protection/microsoft-defender-atp/user-roles.md
index 8d498f43b4..e3afd90910 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/user-roles.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/user-roles.md
@@ -19,12 +19,12 @@ ms.topic: article
# Create and manage roles for role-based access control
**Applies to:**
-
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-roles-abovefoldlink)
+[!include[Prerelease information](prerelease.md)]
+
## Create roles and assign the role to an Azure Active Directory group
The following steps guide you on how to create roles in Microsoft Defender Security Center. It assumes that you have already created Azure Active Directory user groups.
@@ -37,25 +37,31 @@ The following steps guide you on how to create roles in Microsoft Defender Secur
- **Role name**
- **Description**
- **Permissions**
- - **View data** - Users can view information in the portal.
- - **Alerts investigation** - Users can manage alerts, initiate automated investigations, collect investigation packages, manage machine tags, and export machine timeline.
- - **Active remediation actions** - Users can take response actions and approve or dismiss pending remediation actions.
- - **Manage portal system settings** - Users can configure storage settings, SIEM and threat intel API settings (applies globally), advanced settings, automated file uploads, roles and machine groups.
+ - **View data** - Users can view information in the portal.
+ >[!NOTE]
+ >To view Threat & Vulnerability Management data, select **Threat and vulnerability management**.
+
+ - **Alerts investigation** - Users can manage alerts, initiate automated investigations, collect investigation packages, manage machine tags, and export machine timeline.
+ - **Active remediation actions** - Users can take response actions and approve or dismiss pending remediation actions.
+ >[!NOTE]
+ >To enable your Security operation personnel to choose remediation options and file exceptions, select **Threat and vulnerability management - Remediation handling**, and **Threat and vulnerability management - Exception handling**.
+
+ - **Manage portal system settings** - Users can configure storage settings, SIEM and threat intel API settings (applies globally), advanced settings, automated file uploads, roles and machine groups.
> [!NOTE]
> This setting is only available in the Microsoft Defender ATP administrator (default) role.
- - **Manage security settings** - Users can configure alert suppression settings, manage allowed/blocked lists for automation, create and manage custom detections, manage folder exclusions for automation, onboard and offboard machines, and manage email notifications.
+ - **Manage security settings** - Users can configure alert suppression settings, manage allowed/blocked lists for automation, create and manage custom detections, manage folder exclusions for automation, onboard and offboard machines, and manage email notifications.
- - **Live response capabilities** - Users can take basic or advanced live response commands.
- - Basic commands allow users to:
- - Start a live response session
- - Run read only live response commands on a remote machine
- - Advanced commands allow users to:
- - Run basic actions
- - Download a file from the remote machine
- - View a script from the files library
- - Run a script on the remote machine from the files library take read and write commands.
+ - **Live response capabilities** - Users can take basic or advanced live response commands.
+ - Basic commands allow users to:
+ - Start a live response session
+ - Run read only live response commands on a remote machine
+ - Advanced commands allow users to:
+ - Run basic actions
+ - Download a file from the remote machine
+ - View a script from the files library
+ - Run a script on the remote machine from the files library take read and write commands.
For more information on the available commands, see [Investigate machines using Live response](live-response.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-protection-monitoring.md b/windows/security/threat-protection/microsoft-defender-atp/web-protection-monitoring.md
index 0673d31c32..da6e550794 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/web-protection-monitoring.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/web-protection-monitoring.md
@@ -1,7 +1,7 @@
---
title: Monitoring web browsing security in Microsoft Defender ATP
description: Use web protection in Microsoft Defender ATP to monitor web browsing security
-keywords: web protection, web browsing, monitoring, reports, cards, domain list, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser
+keywords: web protection, web threat protection, web browsing, monitoring, reports, cards, domain list, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@@ -22,9 +22,7 @@ ms.date: 08/30/2019
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1)
-[!include[Prerelease information](prerelease.md)]
-
-Web protection lets you monitor your organization’s web browsing security through reports under **Reports > Web protection** in the Microsoft Defender Security Center. The report contains the following cards that provide web threat detection statistics:
+Web protection lets you monitor your organization’s web browsing security through reports under **Reports > Web protection** in the Microsoft Defender Security Center. The report contains cards that provide web threat detection statistics.
- **Web threat protection detections over time** — this trending card displays the number of web threats detected by type during the selected time period (Last 30 days, Last 3 months, Last 6 months)
@@ -44,7 +42,7 @@ Web protection categorizes malicious and unwanted websites as:
- **Custom indicator** — websites whose URLs or domains you've added to your [custom indicator list](manage-indicators.md) for blocking
## View the domain list
-Clicking on a specific web threat category in the **Web threat protection summary** card opens the **Domains** page, which shows a list of the domains prefiltered under that threat category. The page provides the following information for each domain:
+Select a specific web threat category in the **Web threat protection summary** card to open the **Domains** page and display the list of the domains under that threat category. The page provides the following information for each domain:
- **Access count** — number of requests for URLs in the domain
- **Blocks** — number of times requests were blocked
@@ -52,7 +50,7 @@ Clicking on a specific web threat category in the **Web threat protection summar
- **Threat category** — type of web threat
- **Machines** — number of machines with access attempts
-Selecting a domain opens a panel that shows the list of URLs in that domain that have been accessed. The panel also lists machines that have attempted to access URLs in the domain.
+Select a domain to view the list of machines that have attempted to access URLs in that domain as well as the list of URLs.
## Related topics
- [Web protection overview](web-protection-overview.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview.md b/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview.md
index 714ddb9915..37f62a101c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview.md
@@ -1,7 +1,7 @@
---
title: Overview of web protection in Microsoft Defender ATP
description: Learn about web protection in Microsoft Defender ATP and how it can protect your organization
-keywords: web protection, web browsing, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser
+keywords: web protection, web threat protection, web browsing, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@@ -22,18 +22,16 @@ ms.date: 08/30/2019
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1)
-[!include[Prerelease information](prerelease.md)]
+Web protection in Microsoft Defender ATP uses [network protection](network-protection.md) to secure your machines against web threats. By integrating with Microsoft Edge and popular third-party browsers like Chrome and Firefox, web protection stops web threats without a web proxy and can protect machines while they are away or on premises. Web protection stops access to phishing sites, malware vectors, exploit sites, untrusted or low-reputation sites, as well as sites that you have blocked in your [custom indicator list](manage-indicators.md).
-Web protection in Microsoft Defender ATP leverages [network protection](network-protection.md) to secure your machines against web threats without relying on a web proxy, providing security for devices that are either away or on premises. By integrating with Microsoft Edge as well as popular third-party browsers like Chrome and Firefox, web protection stops access to phishing sites, malware vectors, exploit sites, untrusted or low-reputation sites, as well as sites that you have blocked in your [custom indicator list](manage-indicators.md).
+>[!Note]
+>It can take up to an hour for machines to receive new customer indicators.
With web protection, you also get:
- Comprehensive visibility into web threats affecting your organization
- Investigation capabilities over web-related threat activity through alerts and comprehensive profiles of URLs and the machines that access these URLs
- A full set of security features that track general access trends to malicious and unwanted websites
->[!Note]
->It can take up to an hour for machines to receive new customer indicators.
-
## Prerequisites
Web protection uses network protection to provide web browsing security on Microsoft Edge and third-party web browsers.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-protection-response.md b/windows/security/threat-protection/microsoft-defender-atp/web-protection-response.md
index 1d2a797e10..e963f8f504 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/web-protection-response.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/web-protection-response.md
@@ -1,7 +1,7 @@
---
title: Respond to web threats in Microsoft Defender ATP
description: Respond to alerts related to malicious and unwanted websites. Understand how web threat protection informs end users through their web browsers and Windows notifications
-keywords: web protection, web browsing, alerts, response, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser, notifications, end users, Windows notifications, blocking page,
+keywords: web protection, web threat protection, web browsing, alerts, response, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser, notifications, end users, Windows notifications, blocking page,
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@@ -22,8 +22,6 @@ ms.date: 08/30/2019
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1)
-[!include[Prerelease information](prerelease.md)]
-
Web protection in Microsoft Defender ATP lets you efficiently investigate and respond to alerts related to malicious websites and websites in your custom indicator list.
## View web threat alerts
@@ -62,10 +60,10 @@ You can also check the machine that attempted to access a blocked URL. Selecting
With web protection in Microsoft Defender ATP, your end users will be prevented from visiting malicious or unwanted websites using Microsoft Edge or other browsers. Because blocking is performed by [network protection](network-protection.md), they will see a generic error from the web browser. They will also see a notification from Windows.
-*Web threat blocked by Microsoft Edge*
+*Web threat blocked on Microsoft Edge*
-
-*Web threat blocked by the Chrome web browser*
+
+*Web threat blocked on Chrome*
## Related topics
- [Web protection overview](web-protection-overview.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-36-rtp.png b/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-36-rtp.png
new file mode 100644
index 0000000000..dab113680f
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-36-rtp.png differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-37-exclusions.png b/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-37-exclusions.png
new file mode 100644
index 0000000000..d33e01e247
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-37-exclusions.png differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-exclusions.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-exclusions.md
new file mode 100644
index 0000000000..e186faf62f
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-exclusions.md
@@ -0,0 +1,82 @@
+---
+title: Configure and validate exclusions for Microsoft Defender ATP for Mac
+ms.reviewer:
+description: Describes how to provide and validate exclusions for Microsoft Defender ATP for Mac. Exclusions can be set for files, folders, and processes.
+keywords: microsoft, defender, atp, mac, exclusions, scans, antivirus
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dansimp
+author: dansimp
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+---
+
+# Configure and validate exclusions for Microsoft Defender ATP for Mac
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
+
+This article provides information on how to define exclusions that apply to on-demand scans, and real-time protection and monitoring.
+
+>[!IMPORTANT]
+>The exclusions described in this article don't apply to other Microsoft Defender ATP for Mac capabilities, including endpoint detection and response (EDR). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections.
+
+You can exclude certain files, folders, processes, and process-opened files from Microsoft Defender ATP for Mac scans.
+
+Exclusions can be useful to avoid incorrect detections on files or software that are unique or customized to your organization. They can also be useful for mitigating performance issues caused by Microsoft Defender ATP for Mac.
+
+>[!WARNING]
+>Defining exclusions lowers the protection offered by Microsoft Defender ATP for Mac. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious.
+
+## Supported exclusion types
+
+The follow table shows the exclusion types supported by Microsoft Defender ATP for Mac.
+
+Exclusion | Definition | Examples
+---|---|---
+File extension | All files with the extension, anywhere on the machine | .test
+File | A specific file identified by the full path | /var/log/test.log
+Folder | All files under the specified folder | /var/log/
+Process | A specific process (specified either by the full path or file name) and all files opened by it | /bin/cat
cat
+
+## How to configure the list of exclusions
+
+### From the management console
+
+For more information on how to configure exclusions from JAMF, Intune, or another management console, see [Set preferences for Microsoft Defender ATP for Mac](microsoft-defender-atp-mac-preferences.md).
+
+### From the user interface
+
+Open the Microsoft Defender ATP application and navigate to **Manage settings** > **Add or Remove Exclusion...**, as shown in the following screenshot:
+
+
+
+Select the type of exclusion that you wish to add and follow the prompts.
+
+## Validate exclusions lists with the EICAR test file
+
+You can validate that your exclusion lists are working by using `curl` to download a test file.
+
+In the following Bash snippet, replace *test.txt* with a file that conforms to your exclusion rules. For example, if you have excluded the *.testing extension*, replace *test.txt* with *test.testing*. If you are testing a path, ensure that you run the command within that path.
+
+```bash
+$ curl -o test.txt http://www.eicar.org/download/eicar.com.txt
+```
+
+If Microsoft Defender ATP for Mac reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm that the contents are the same as what is described on the [EICAR test file website](http://2016.eicar.org/86-0-Intended-use.html).
+
+If you do not have internet access, you can create your own EICAR test file. Write the EICAR string to a new text file with the following Bash command:
+
+```bash
+echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > test.txt
+```
+
+You can also copy the string into a blank text file and attempt to save it with the file name or in the folder you are attempting to exclude.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md
index 08c55dea65..eac057b9fa 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md
@@ -2,7 +2,7 @@
title: Installing Microsoft Defender ATP for Mac manually
ms.reviewer:
description: Describes how to install Microsoft Defender ATP for Mac manually, from the command line.
-keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra
+keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@@ -80,66 +80,11 @@ To complete this process, you must have admin privileges on the machine.
The installation proceeds.
-> [!NOTE]
-> If you don't select **Allow**, the installation will proceed after 5 minutes. Defender ATP will be loaded, but real-time protection will be disabled.
+> [!CAUTION]
+> If you don't select **Allow**, the installation will proceed after 5 minutes. Defender ATP will be loaded, but some features, such as real-time protection, will be disabled. See [Troubleshoot kernel extension issues](microsoft-defender-atp-mac-support-kext.md) for information on how to resolve this.
> [!NOTE]
-> macOS may request to reboot the machine upon the first installation of Microsoft Defender. Real-Time Protection will not be available until the machine is rebooted.
-
-### Fixing disabled Real-Time Protection
-
-If you did not enable Microsoft's driver during installation, then the application displays a banner prompting you to enable it:
-
- 
-
-You can also run ```mdatp --health```. It reports if Real-Time Protection is enabled but not available:
-
-```bash
-$ mdatp --health
-...
-realTimeProtectionAvailable : false
-realTimeProtectionEnabled : true
-...
-```
-
-> [!NOTE]
-> You have a 30 minute window to enable Real-Time Protection from the warning banner, immediately following installation.
-
-The warning banner contains a **Fix** button, which allows you to quickly enable Real-Time Protection, without having to open a command prompt. Select the **Fix** button. It prompts the **Security & Privacy** system window, where you have to **Allow** system software from developers "Microsoft Corporation".
-
-If you don't see a prompt, it means that 30 or more minutes have already passed, and Real-Time Protection has still not been enabled:
-
-
-
-In this case, you need to perform the following steps to enable Real-Time Protection instead.
-
-1. In Terminal, attempt to install the driver. (The operation will fail)
- ```bash
- $ sudo kextutil /Library/Extensions/wdavkext.kext
- Kext rejected due to system policy:
Windows 10 Pro, 1803 or higher|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:
**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.|
|Block enterprise websites to load non-enterprise content in IE and Edge|Windows 10 Enterprise, 1709 or higher|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container.**Note** This may also block assets cached by CDNs and references to analytics sites. Please add them to the trusted enterprise resources to avoid broken pages.
**Disabled or not configured.** Prevents Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard. |
|Allow Persistence|Windows 10 Enterprise, 1709 or higher
Windows 10 Pro, 1803 or higher|Determines whether data persists across different sessions in Windows Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.
**Disabled or not configured.** All user data within Application Guard is reset between sessions.
**Note**
If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
**To reset the container:**
|
-|Turn on Windows Defender Application Guard in Enterprise Mode|Windows 10 Enterprise, 1709 or higher|Determines whether to turn on Application Guard for Microsoft Edge.|**Enabled.** Turns on Application Guard for Microsoft Edge, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Be aware that Application Guard won't actually be turned On unless the required prerequisites and network isolation settings are already set on the device.
The container environment is reset, retaining only the employee-generated data.
The container environment is reset, including discarding all employee-generated data.
**Disabled.** Turns Off Application Guard, allowing all apps to run in Microsoft Edge.|
+|Turn on Windows Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1809 or higher|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Be aware that Application Guard won't actually be turned On unless the required prerequisites and network isolation settings are already set on the device. Available options:
**Disabled.** Turns Off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office.|
|Allow files to download to host operating system|Windows 10 Enterprise, 1803 or higher|Determines whether to save downloaded files to the host operating system from the Windows Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Windows Defender Application Guard container to the host operating system.
**Disabled or not configured.** Users are not able to saved downloaded files from Application Guard to the host operating system.|
|Allow hardware-accelerated rendering for Windows Defender Application Guard|Windows 10 Enterprise, 1803 or higher
Windows 10 Pro, 1803 or higher|Determines whether Windows Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Windows Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Windows Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Windows Defender Application Guard will automatically revert to software-based (CPU) rendering.**Important**
**Disabled or not configured.** Windows Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.|
|Allow camera and microphone access in Windows Defender Application Guard|Windows 10 Enterprise, 1809 or higher
Be aware that enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.
Windows 10 Pro, 1809 or higher|Determines whether to allow camera and microphone access inside Windows Defender Application Guard.|**Enabled.** Applications inside Windows Defender Application Guard are able to access the camera and microphone on the user's device.
**Important**
Be aware that enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.
**Disabled or not configured.** Applications inside Windows Defender Application Guard are unable to access the camera and microphone on the user's device.|