From f187a70c66f129af27aea29b09113f194a14b7c0 Mon Sep 17 00:00:00 2001 From: Sunny Zankharia <67922512+sazankha@users.noreply.github.com> Date: Wed, 12 May 2021 15:19:16 -0700 Subject: [PATCH 01/11] Update reqs-md-app-guard.md --- .../microsoft-defender-application-guard/reqs-md-app-guard.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md index ab3603b914..351fc52cb2 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md @@ -22,7 +22,7 @@ ms.technology: mde The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. Microsoft Defender Application Guard is designed to help prevent old, and newly emerging attacks, to help keep employees productive. >[!NOTE] ->Microsoft Defender Application Guard is not supported on VMs and VDI environment. For testing and automation on non-production machines, you may enable WDAG on a VM by enabling Hyper-V nested virtualization on the host. +>Given the technological complexity, the security promise of Microsoft Defender Application Guard (MDAG) may not hold true on VMs and VDI environment. Hence, MDAG is currently not official supported on VMs and VDI environment. However, for testing and automation on non-production machines, you may enable MDAG on a VM by enabling Hyper-V nested virtualization on the host. ## Hardware requirements Your environment needs the following hardware to run Microsoft Defender Application Guard. @@ -42,4 +42,4 @@ Your environment needs the following software to run Microsoft Defender Applicat |--------|-----------| |Operating system|Windows 10 Enterprise edition, version 1709 or higher
Windows 10 Professional edition, version 1803 or higher
Windows 10 Professional for Workstations edition, version 1803 or higher
Windows 10 Professional Education edition version 1803 or higher
Windows 10 Education edition, version 1903 or higher
Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with WDAG for Professional editions. | |Browser|Microsoft Edge and Internet Explorer| -|Management system
(only for managed devices)|[Microsoft Intune](/intune/)

**-OR-**

[Microsoft Endpoint Configuration Manager](/configmgr/)

**-OR-**

[Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11))

**-OR-**

Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.| \ No newline at end of file +|Management system
(only for managed devices)|[Microsoft Intune](/intune/)

**-OR-**

[Microsoft Endpoint Configuration Manager](/configmgr/)

**-OR-**

[Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11))

**-OR-**

Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.| From 058e0b0dc05730baf8028d68221bc4eb424e1f2d Mon Sep 17 00:00:00 2001 From: Sunny Zankharia <67922512+sazankha@users.noreply.github.com> Date: Wed, 12 May 2021 16:08:32 -0700 Subject: [PATCH 02/11] Update windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../microsoft-defender-application-guard/reqs-md-app-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md index 351fc52cb2..6e11d6eabb 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md @@ -22,7 +22,7 @@ ms.technology: mde The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. Microsoft Defender Application Guard is designed to help prevent old, and newly emerging attacks, to help keep employees productive. >[!NOTE] ->Given the technological complexity, the security promise of Microsoft Defender Application Guard (MDAG) may not hold true on VMs and VDI environment. Hence, MDAG is currently not official supported on VMs and VDI environment. However, for testing and automation on non-production machines, you may enable MDAG on a VM by enabling Hyper-V nested virtualization on the host. +> Given the technological complexity, the security promise of Microsoft Defender Application Guard (MDAG) may not hold true on VMs and in VDI environments. Hence, MDAG is currently not officially supported on VMs and in VDI environments. However, for testing and automation purposes on non-production machines, you may enable MDAG on a VM by enabling Hyper-V nested virtualization on the host. ## Hardware requirements Your environment needs the following hardware to run Microsoft Defender Application Guard. From 1f1d9d807c884b12b242a5e8b890473220574e09 Mon Sep 17 00:00:00 2001 From: Sunny Zankharia <67922512+sazankha@users.noreply.github.com> Date: Wed, 12 May 2021 16:08:39 -0700 Subject: [PATCH 03/11] Update windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../microsoft-defender-application-guard/reqs-md-app-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md index 6e11d6eabb..0c9b491dc5 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md @@ -21,7 +21,7 @@ ms.technology: mde The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. Microsoft Defender Application Guard is designed to help prevent old, and newly emerging attacks, to help keep employees productive. ->[!NOTE] +> [!NOTE] > Given the technological complexity, the security promise of Microsoft Defender Application Guard (MDAG) may not hold true on VMs and in VDI environments. Hence, MDAG is currently not officially supported on VMs and in VDI environments. However, for testing and automation purposes on non-production machines, you may enable MDAG on a VM by enabling Hyper-V nested virtualization on the host. ## Hardware requirements From c4a3e588e19935ade4b151f3310c824821ef1a4e Mon Sep 17 00:00:00 2001 From: "Sean Williams [MSFT]" <72675818+sewillia-msft@users.noreply.github.com> Date: Thu, 13 May 2021 18:13:58 -0700 Subject: [PATCH 04/11] "Disable WDAC Policies": Cleanup formatting This PR performs a few list/callout-related changes to the article ["Disable Windows Defender Application Control Policies"](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies): * Move list of WDAC policy locations into "Note" callout referencing them * Replace boldface "Note" with DFM `[!NOTE]` tags --- ...s-defender-application-control-policies.md | 21 ++++++++++--------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md index a84b17e822..6cbf4d90fa 100644 --- a/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md @@ -32,7 +32,6 @@ This topic covers how to disable unsigned or signed WDAC policies. There may come a time when an administrator wants to disable a WDAC policy. For unsigned WDAC policies, this process is simple. The method used to deploy the policy (such as Group Policy) must first be disabled, then simply delete the SIPolicy.p7b policy file from the following locations, and the WDAC policy will be disabled on the next computer restart: - <EFI System Partition>\\Microsoft\\Boot\\ - - <OS Volume>\\Windows\\System32\\CodeIntegrity\\ Note that as of the Windows 10 May 2019 Update (1903), WDAC allows multiple policies to be deployed to a device. To fully disable WDAC when multiple policies are in effect, you must first disable each method being used to deploy a policy. Then delete the {Policy GUID}.cip policy files found in the \CIPolicies\Active subfolder under each of the paths listed above in addition to any SIPolicy.p7b file found in the root directory. @@ -43,21 +42,22 @@ Signed policies protect Windows from administrative manipulation as well as malw > [!NOTE] > For reference, signed WDAC policies should be replaced and removed from the following locations: - -- <EFI System Partition>\\Microsoft\\Boot\\ - -- <OS Volume>\\Windows\\System32\\CodeIntegrity\\ +> +> * <EFI System Partition>\\Microsoft\\Boot\\ +> * <OS Volume>\\Windows\\System32\\CodeIntegrity\\ 1. Replace the existing policy with another signed policy that has the **6 Enabled: Unsigned System Integrity Policy** rule option enabled. - > **Note**  To take effect, this policy must be signed with a certificate previously added to the **UpdatePolicySigners** section of the original signed policy you want to replace. + > [!NOTE] + > To take effect, this policy must be signed with a certificate previously added to the **UpdatePolicySigners** section of the original signed policy you want to replace. 2. Restart the client computer. 3. Verify that the new signed policy exists on the client. - > **Note**  If the signed policy that contains rule option 6 has not been processed on the client, the addition of an unsigned policy may cause boot failures. + > [!NOTE] + > If the signed policy that contains rule option 6 has not been processed on the client, the addition of an unsigned policy may cause boot failures. 4. Delete the new policy. @@ -67,13 +67,15 @@ If the signed WDAC policy has been deployed using by using Group Policy, you mus 1. Replace the existing policy in the GPO with another signed policy that has the **6 Enabled: Unsigned System Integrity Policy** rule option enabled. - > **Note**  To take effect, this policy must be signed with a certificate previously added to the **UpdatePolicySigners** section of the original signed policy you want to replace. + > [!NOTE] + > To take effect, this policy must be signed with a certificate previously added to the **UpdatePolicySigners** section of the original signed policy you want to replace. 2. Restart the client computer. 3. Verify that the new signed policy exists on the client. - > **Note**  If the signed policy that contains rule option 6 has not been processed on the client, the addition of an unsigned policy may cause boot failures. + > [!NOTE] + > If the signed policy that contains rule option 6 has not been processed on the client, the addition of an unsigned policy may cause boot failures. 4. Set the GPO to disabled. @@ -86,5 +88,4 @@ If the signed WDAC policy has been deployed using by using Group Policy, you mus There may be a time when signed WDAC policies cause a boot failure. Because WDAC policies enforce kernel mode drivers, it is important that they be thoroughly tested on each software and hardware configuration before being enforced and signed. Signed WDAC policies are validated in the pre-boot sequence by using Secure Boot. When you disable the Secure Boot feature in the BIOS, and then delete the file from the following locations on the operating system disk, it allows the system to boot into Windows: - <EFI System Partition>\\Microsoft\\Boot\\ - - <OS Volume>\\Windows\\System32\\CodeIntegrity\\ From ac6167f3dbb28fcf97a3dc5eca481c312875cd97 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Fri, 14 May 2021 11:34:37 -0700 Subject: [PATCH 05/11] add patch info --- .../deploy-windows-mdt/create-a-windows-10-reference-image.md | 3 +++ .../prepare-for-windows-deployment-with-mdt.md | 3 +++ 2 files changed, 6 insertions(+) diff --git a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md index a7bf59ddef..2150a2ab0c 100644 --- a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md +++ b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md @@ -661,6 +661,9 @@ After some time, you will have a Windows 10 Enterprise x64 image that is fully ## Troubleshooting +> [!IMPORTANT] +> If you encounter errors applying the image when using a BIOS firmware type, see [Windows 10 deployments fail with Microsoft Deployment Toolkit on computers with BIOS type firmware](https://support.microsoft.com/topic/windows-10-deployments-fail-with-microsoft-deployment-toolkit-on-computers-with-bios-type-firmware-70557b0b-6be3-81d2-556f-b313e29e2cb7). This + If you [enabled monitoring](#enable-monitoring), you can check the progress of the task sequence. ![monitoring](../images/mdt-monitoring.png) diff --git a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md index 5f3c2aa9ad..4250054f65 100644 --- a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md +++ b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md @@ -87,6 +87,8 @@ Visit the [Download and install the Windows ADK](/windows-hardware/get-started/a - [The Windows ADK for Windows 10](https://go.microsoft.com/fwlink/?linkid=2086042) - [The Windows PE add-on for the ADK](https://go.microsoft.com/fwlink/?linkid=2087112) - [The Windows System Image Manager (WSIM) 1903 update](https://go.microsoft.com/fwlink/?linkid=2095334) +- (Optional) [The MDT_KB4564442 patch for BIOS firmware](https://download.microsoft.com/download/3/0/6/306AC1B2-59BE-43B8-8C65-E141EF287A5E/KB4564442/MDT_KB4564442.exe) + - This patch is needed to resolve a bug that causes detection of BIOS-based machines as UEFI-based machines. If you have a UEFI deployment, you do not need this patch. >[!TIP] >You might need to temporarily disable IE Enhanced Security Configuration for administrators in order to download files from the Internet to the server. This setting can be disabled by using Server Manager (Local Server/Properties). @@ -97,6 +99,7 @@ Visit the [Download and install the Windows ADK](/windows-hardware/get-started/a 3. Start the **WinPE Setup** (D:\\Downloads\\ADK\\adkwinpesetup.exe), click **Next** twice to accept the default installation parameters, click **Accept** to accept the license agreement, and then on the **Select the features you want to install** page click **Install**. This will install Windows PE for x86, AMD64, ARM, and ARM64. Verify that the installation completes successfully before moving to the next step. 4. Extract the **WSIM 1903 update** (D:\\Downloads\ADK\\WSIM1903.zip) and then run the **UpdateWSIM.bat** file. - You can confirm that the update is applied by viewing properties of the ImageCat.exe and ImgMgr.exe files at **C:\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Deployment Tools\\WSIM** and verifying that the **Details** tab displays a **File version** of **10.0.18362.144** or later. +5. If you downloaded the optional MDT_KB4564442 patch for BIOS based deployment, see [this support article](https://support.microsoft.com/en-us/topic/windows-10-deployments-fail-with-microsoft-deployment-toolkit-on-computers-with-bios-type-firmware-70557b0b-6be3-81d2-556f-b313e29e2cb7) for instructions on how to install the patch. ## Install and initialize Windows Deployment Services (WDS) From 9b1a7c66a0cbae49d0283665872a60016e8e0a83 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Fri, 14 May 2021 12:27:56 -0700 Subject: [PATCH 06/11] fix warnings --- windows/sv/index.md | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/windows/sv/index.md b/windows/sv/index.md index 8f7cbe8630..d227b9886e 100644 --- a/windows/sv/index.md +++ b/windows/sv/index.md @@ -1 +1,14 @@ -# Welcome to SV! \ No newline at end of file +--- +title: No title +description: No description +keywords: ["Windows 10"] +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.author: greglin +manager: laurawi +ms.localizationpriority: high +ms.topic: article +--- \ No newline at end of file From 8c9a027d5c285567ed1ba3e884016bf09c953023 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Fri, 14 May 2021 12:30:30 -0700 Subject: [PATCH 07/11] fix warning --- windows/sv/index.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/sv/index.md b/windows/sv/index.md index d227b9886e..958e8bb4b3 100644 --- a/windows/sv/index.md +++ b/windows/sv/index.md @@ -11,4 +11,6 @@ ms.author: greglin manager: laurawi ms.localizationpriority: high ms.topic: article ---- \ No newline at end of file +--- + +# \ No newline at end of file From c9d2378758b97beb15251b1a481a23ecfc089afd Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Fri, 14 May 2021 12:33:21 -0700 Subject: [PATCH 08/11] fix warning again --- windows/sv/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/sv/index.md b/windows/sv/index.md index 958e8bb4b3..700bfbca0e 100644 --- a/windows/sv/index.md +++ b/windows/sv/index.md @@ -13,4 +13,4 @@ ms.localizationpriority: high ms.topic: article --- -# \ No newline at end of file +# _ \ No newline at end of file From 2c9464c0bc6267e07680d969a58dc8e127e9f845 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Sun, 16 May 2021 10:12:07 +0200 Subject: [PATCH 09/11] Note addition to the Countermeasure section As requested in issue ticket #9523 (**Please add a note**), the aim of this PR is to add a note to the Countermeasure section of the document article "Deny access to this computer from the network". Thanks to Daniele Bona (dbona75) for the request. Proposed change: - Add a Note blob explaining the required Network Logon rights to the domain controllers. Codestyle & whitespace changes: - Remove any redundant end-of-line (EOL) blanks. Closes #9523 --- ...ccess-to-this-computer-from-the-network.md | 44 ++++++++++--------- 1 file changed, 24 insertions(+), 20 deletions(-) diff --git a/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md b/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md index 426bbb78d9..59358f537b 100644 --- a/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md +++ b/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md @@ -14,14 +14,14 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 05/19/2021 ms.technology: mde --- # Deny access to this computer from the network **Applies to** -- Windows 10 +- Windows 10 Describes the best practices, location, values, policy management, and security considerations for the **Deny access to this computer from the network** security policy setting. @@ -33,12 +33,12 @@ Constant: SeDenyNetworkLogonRight ### Possible values -- User-defined list of accounts -- Guest +- User-defined list of accounts +- Guest ### Best practices -- Because all Active Directory Domain Services programs use a network logon for access, use caution when you assign this user right on domain controllers. +- Because all Active Directory Domain Services programs use a network logon for access, use caution when you assign this user right on domain controllers. ### Location @@ -53,13 +53,13 @@ The following table lists the actual and effective default policy values. Defaul | Server type or GPO | Default value | | - | - | -| Default Domain Policy | Not defined | -| Default Domain Controller Policy | Guest | -| Stand-Alone Server Default Settings | Guest | -| Domain Controller Effective Default Settings | Guest | -| Member Server Effective Default Settings | Guest | -| Client Computer Effective Default Settings | Guest | - +| Default Domain Policy | Not defined | +| Default Domain Controller Policy | Guest | +| Stand-Alone Server Default Settings | Guest | +| Domain Controller Effective Default Settings | Guest | +| Member Server Effective Default Settings | Guest | +| Client Computer Effective Default Settings | Guest | + ## Policy management This section describes features and tools available to help you manage this policy. @@ -74,10 +74,10 @@ Any change to the user rights assignment for an account becomes effective the ne Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: -1. Local policy settings -2. Site policy settings -3. Domain policy settings -4. OU policy settings +1. Local policy settings +2. Site policy settings +3. Domain policy settings +4. OU policy settings When a local setting is greyed out, it indicates that a GPO currently controls that setting. @@ -93,13 +93,17 @@ Users who can log on to the device over the network can enumerate lists of accou Assign the **Deny access to this computer from the network** user right to the following accounts: -- Anonymous logon -- Built-in local Administrator account -- Local Guest account -- All service accounts +- Anonymous logon +- Built-in local Administrator account +- Local Guest account +- All service accounts An important exception to this list is any service accounts that are used to start services that must connect to the device over the network. For example, let’s say you have configured a shared folder for web servers to access, and you present content within that folder through a website. You may need to allow the account that runs IIS to log on to the server with the shared folder from the network. This user right is particularly effective when you must configure servers and workstations on which sensitive information is handled because of regulatory compliance concerns. +> [!NOTE] +> If the service account is configured in the logon properties of a Windows Service, +> it requires Network Logon rights to the domain controllers to start properly. + ### Potential impact If you configure the **Deny access to this computer from the network** user right for other accounts, you could limit the abilities of users who are assigned to specific administrative roles in your environment. You should verify that delegated tasks are not negatively affected. From 4009f6af5847411376f9d751bb6f187f4fd39d32 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Sun, 16 May 2021 17:02:49 -0700 Subject: [PATCH 10/11] Various corrections to layout and presentation Table headings are bold by default. Adding formatting for bold results in a lighter weight font than is standard. Valid "slugs" for code blocks are listed here: https://review.docs.microsoft.com/en-us/help/contribute/metadata-taxonomies?branch=master#dev-lang --- .../advanced-troubleshooting-boot-problems.md | 91 +++++++++++-------- .../mdm/policy-csp-localusersandgroups.md | 7 +- 2 files changed, 57 insertions(+), 41 deletions(-) diff --git a/windows/client-management/advanced-troubleshooting-boot-problems.md b/windows/client-management/advanced-troubleshooting-boot-problems.md index f91c6fab55..646585085e 100644 --- a/windows/client-management/advanced-troubleshooting-boot-problems.md +++ b/windows/client-management/advanced-troubleshooting-boot-problems.md @@ -22,7 +22,7 @@ ms.topic: troubleshooting There are several reasons why a Windows-based computer may have problems during startup. To troubleshoot boot problems, first determine in which of the following phases the computer gets stuck: -| **Phase** | **Boot Process** | **BIOS** | **UEFI** | +| Phase | Boot Process | BIOS | UEFI | |-----------|----------------------|------------------------------------|-----------------------------------| | 1 | PreBoot | MBR/PBR (Bootstrap Code) | UEFI Firmware | | 2 | Windows Boot Manager | %SystemDrive%\bootmgr | \EFI\Microsoft\Boot\bootmgfw.efi | @@ -73,10 +73,12 @@ Each phase has a different approach to troubleshooting. This article provides tr To determine whether the system has passed the BIOS phase, follow these steps: 1. If there are any external peripherals connected to the computer, disconnect them. + 2. Check whether the hard disk drive light on the physical computer is working. If it is not working, this indicates that the startup process is stuck at the BIOS phase. + 3. Press the NumLock key to see whether the indicator light toggles on and off. If it does not, this indicates that the startup process is stuck at BIOS. -If the system is stuck at the BIOS phase, there may be a hardware problem. + If the system is stuck at the BIOS phase, there may be a hardware problem. ## Boot loader phase @@ -116,20 +118,20 @@ The Startup Repair tool generates a log file to help you understand the startup **%windir%\System32\LogFiles\Srt\Srttrail.txt** -For more information see, [A Stop error occurs, or the computer stops responding when you try to start Windows Vista or Windows 7](https://support.microsoft.com/help/925810/a-stop-error-occurs-or-the-computer-stops-responding-when-you-try-to-s) +For more information, see [A Stop error occurs, or the computer stops responding when you try to start Windows Vista or Windows 7](https://support.microsoft.com/help/925810/a-stop-error-occurs-or-the-computer-stops-responding-when-you-try-to-s) ### Method 2: Repair Boot Codes To repair boot codes, run the following command: -```dos +```console BOOTREC /FIXMBR ``` To repair the boot sector, run the following command: -```dos +```console BOOTREC /FIXBOOT ``` @@ -141,51 +143,54 @@ BOOTREC /FIXBOOT If you receive BCD-related errors, follow these steps: 1. Scan for all the systems that are installed. To do this, run the following command: - ```dos + + ```console Bootrec /ScanOS ``` 2. Restart the computer to check whether the problem is fixed. 3. If the problem is not fixed, run the following command: - ```dos + + ```console Bootrec /rebuildbcd ``` 4. You might receive one of the following outputs: - ```dos + + ```console Scanning all disks for Windows installations. Please wait, since this may take a while ... Successfully scanned Windows installations. Total identified Windows installations: 0 The operation completed successfully. ``` - ```dos + ```console Scanning all disks for Windows installations. Please wait, since this may take a while ... Successfully scanned Windows installations. Total identified Windows installations: 1 D:\Windows Add installation to boot list? Yes/No/All: ``` -If the output shows **windows installation: 0**, run the following commands: - -```dos -bcdedit /export c:\bcdbackup - -attrib c:\\boot\\bcd -r –s -h - -ren c:\\boot\\bcd bcd.old - -bootrec /rebuildbcd -``` - -After you run the command, you receive the following output: - -```dos -Scanning all disks for Windows installations. Please wait, since this may take a while ... -Successfully scanned Windows installations. Total identified Windows installations: 1 -{D}:\Windows -Add installation to boot list? Yes/No/All: Y -``` + If the output shows **windows installation: 0**, run the following commands: + + ```console + bcdedit /export c:\bcdbackup + + attrib c:\\boot\\bcd -r –s -h + + ren c:\\boot\\bcd bcd.old + + bootrec /rebuildbcd + ``` + + After you run the command, you receive the following output: + + ```console + Scanning all disks for Windows installations. Please wait, since this may take a while ... + Successfully scanned Windows installations. Total identified Windows installations: 1 + {D}:\Windows + Add installation to boot list? Yes/No/All: Y + ``` 5. Try restarting the system. @@ -196,17 +201,20 @@ If methods 1, 2 and 3 do not fix the problem, replace the Bootmgr file from driv 1. At a command prompt, change the directory to the System Reserved partition. 2. Run the **attrib** command to unhide the file: - ```dos + + ```console attrib -r -s -h ``` 3. Run the same **attrib** command on the Windows (system drive): - ```dos + + ```console attrib -r -s -h ``` 4. Rename the Bootmgr file as Bootmgr.old: - ```dos + + ```console ren c:\bootmgr bootmgr.old ``` @@ -232,6 +240,7 @@ If the system gets stuck during the kernel phase, you experience multiple sympto - A Stop error appears after the splash screen (Windows Logo screen). - Specific error code is displayed. + For example, "0x00000C2" , "0x0000007B" , "inaccessible boot device" and so on. - [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](./troubleshoot-inaccessible-boot-device.md) - [Advanced troubleshooting for Event ID 41 "The system has rebooted without cleanly shutting down first"](troubleshoot-event-id-41-restart.md) @@ -319,19 +328,21 @@ To fix problems that occur after you install Windows updates, check for pending 1. Open a Command Prompt window in WinRE. 2. Run the command: - ```dos + + ```console DISM /image:C:\ /get-packages ``` 3. If there are any pending updates, uninstall them by running the following commands: - ```dos + + ```console DISM /image:C:\ /remove-package /packagename: name of the package ``` - ```dos + ```console DISM /Image:C:\ /Cleanup-Image /RevertPendingActions ``` -Try to start the computer. + Try to start the computer. If the computer does not start, follow these steps: @@ -379,14 +390,18 @@ If the dump file shows an error that is related to a driver (for example, window - If the driver is not important and has no dependencies, load the system hive, and then disable the driver. - If the stop error indicates system file corruption, run the system file checker in offline mode. + - To do this, open WinRE, open a command prompt, and then run the following command: - ```dos + + ```console SFC /Scannow /OffBootDir=C:\ /OffWinDir=E:\Windows ``` + For more information, see [Using System File Checker (SFC) To Fix Issues](/archive/blogs/askcore/using-system-file-checker-sfc-to-fix-issues) - If there is disk corruption, run the check disk command: - ```dos + + ```console chkdsk /f /r ``` diff --git a/windows/client-management/mdm/policy-csp-localusersandgroups.md b/windows/client-management/mdm/policy-csp-localusersandgroups.md index 3e31340ff3..68938fa3b7 100644 --- a/windows/client-management/mdm/policy-csp-localusersandgroups.md +++ b/windows/client-management/mdm/policy-csp-localusersandgroups.md @@ -125,7 +125,7 @@ See [Use custom settings for Windows 10 devices in Intune](/mem/intune/configura Example 1: AAD focused. -The following example updates the built-in administrators group with AAD account "bob@contoso.com" and an Azure AD group with the SID **S-1-12-1-111111111-22222222222-3333333333-4444444444. On an AAD joined machines**. +The following example updates the built-in administrators group with AAD account "bob@contoso.com" and an Azure AD group with the SID **S-1-12-1-111111111-22222222222-3333333333-4444444444** on an AAD-joined machine. ```xml @@ -239,7 +239,7 @@ To troubleshoot Name/SID lookup APIs: 1. Enable **lsp.log** on the client device by running the following commands: - ```cmd + ```powershell Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name LspDbgInfoLevel -Value 0x800 -Type dword -Force Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name LspDbgTraceOptions -Value 0x1 -Type dword -Force @@ -249,11 +249,12 @@ To troubleshoot Name/SID lookup APIs: 2. Turn the logging off by running the following command: - ```cmd + ```powershell Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name LspDbgInfoLevel -Value 0x0 -Type dword -Force Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name LspDbgTraceOptions -Value 0x0 -Type dword -Force ``` + ```xml From 6fea59ffdf2a99859cec7eca847b33905cfa6ae4 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Mon, 17 May 2021 09:58:29 -0700 Subject: [PATCH 11/11] Update windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../deny-access-to-this-computer-from-the-network.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md b/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md index 59358f537b..04844990fd 100644 --- a/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md +++ b/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md @@ -101,8 +101,7 @@ Assign the **Deny access to this computer from the network** user right to the f An important exception to this list is any service accounts that are used to start services that must connect to the device over the network. For example, let’s say you have configured a shared folder for web servers to access, and you present content within that folder through a website. You may need to allow the account that runs IIS to log on to the server with the shared folder from the network. This user right is particularly effective when you must configure servers and workstations on which sensitive information is handled because of regulatory compliance concerns. > [!NOTE] -> If the service account is configured in the logon properties of a Windows Service, -> it requires Network Logon rights to the domain controllers to start properly. +> If the service account is configured in the logon properties of a Windows service, it requires network logon rights to the domain controllers to start properly. ### Potential impact