deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-20 17:27:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/MicrosoftDocs/windows-docs-pr into dep21H1

Browse Source
This commit is contained in:
greg-lindsay 2021-05-17 10:53:52 -07:00
commit e3cc8c0ff3
8 changed files with 116 additions and 75 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

91
windows/client-management/advanced-troubleshooting-boot-problems.md
View File

@ -22,7 +22,7 @@ ms.topic: troubleshooting
There are several reasons why a Windows-based computer may have problems during startup. To troubleshoot boot problems, first determine in which of the following phases the computer gets stuck:
| **Phase** | **Boot Process** | **BIOS** | **UEFI** |
| Phase | Boot Process | BIOS | UEFI |
|-----------|----------------------|------------------------------------|-----------------------------------|
| 1 | PreBoot | MBR/PBR (Bootstrap Code) | UEFI Firmware |
| 2 | Windows Boot Manager | %SystemDrive%\bootmgr | \EFI\Microsoft\Boot\bootmgfw.efi |
@ -73,10 +73,12 @@ Each phase has a different approach to troubleshooting. This article provides tr
To determine whether the system has passed the BIOS phase, follow these steps:
1. If there are any external peripherals connected to the computer, disconnect them.
2. Check whether the hard disk drive light on the physical computer is working. If it is not working, this indicates that the startup process is stuck at the BIOS phase.
3. Press the NumLock key to see whether the indicator light toggles on and off. If it does not, this indicates that the startup process is stuck at BIOS.
If the system is stuck at the BIOS phase, there may be a hardware problem.
If the system is stuck at the BIOS phase, there may be a hardware problem.
## Boot loader phase
@ -116,20 +118,20 @@ The Startup Repair tool generates a log file to help you understand the startup
**%windir%\System32\LogFiles\Srt\Srttrail.txt**
For more information see, [A Stop error occurs, or the computer stops responding when you try to start Windows Vista or Windows 7](https://support.microsoft.com/help/925810/a-stop-error-occurs-or-the-computer-stops-responding-when-you-try-to-s)
For more information, see [A Stop error occurs, or the computer stops responding when you try to start Windows Vista or Windows 7](https://support.microsoft.com/help/925810/a-stop-error-occurs-or-the-computer-stops-responding-when-you-try-to-s)
### Method 2: Repair Boot Codes
To repair boot codes, run the following command:
```dos
```console
BOOTREC /FIXMBR
```
To repair the boot sector, run the following command:
```dos
```console
BOOTREC /FIXBOOT
```
@ -141,51 +143,54 @@ BOOTREC /FIXBOOT
If you receive BCD-related errors, follow these steps:
1. Scan for all the systems that are installed. To do this, run the following command:
```dos
```console
Bootrec /ScanOS
```
2. Restart the computer to check whether the problem is fixed.
3. If the problem is not fixed, run the following command:
```dos
```console
Bootrec /rebuildbcd
```
4. You might receive one of the following outputs:
```dos
```console
Scanning all disks for Windows installations. Please wait, since this may take a while ...
Successfully scanned Windows installations. Total identified Windows installations: 0
The operation completed successfully.
```
```dos
```console
Scanning all disks for Windows installations. Please wait, since this may take a while ...
Successfully scanned Windows installations. Total identified Windows installations: 1
D:\Windows
Add installation to boot list? Yes/No/All:
```
If the output shows **windows installation: 0**, run the following commands:
```dos
bcdedit /export c:\bcdbackup
attrib c:\\boot\\bcd -r s -h
ren c:\\boot\\bcd bcd.old
bootrec /rebuildbcd
```
After you run the command, you receive the following output:
```dos
Scanning all disks for Windows installations. Please wait, since this may take a while ...
Successfully scanned Windows installations. Total identified Windows installations: 1
{D}:\Windows
Add installation to boot list? Yes/No/All: Y
```
If the output shows **windows installation: 0**, run the following commands:
```console
bcdedit /export c:\bcdbackup
attrib c:\\boot\\bcd -r s -h
ren c:\\boot\\bcd bcd.old
bootrec /rebuildbcd
```
After you run the command, you receive the following output:
```console
Scanning all disks for Windows installations. Please wait, since this may take a while ...
Successfully scanned Windows installations. Total identified Windows installations: 1
{D}:\Windows
Add installation to boot list? Yes/No/All: Y
```
5. Try restarting the system.
@ -196,17 +201,20 @@ If methods 1, 2 and 3 do not fix the problem, replace the Bootmgr file from driv
1. At a command prompt, change the directory to the System Reserved partition.
2. Run the **attrib** command to unhide the file:
```dos
```console
attrib -r -s -h
```
3. Run the same **attrib** command on the Windows (system drive):
```dos
```console
attrib -r -s -h
```
4. Rename the Bootmgr file as Bootmgr.old:
```dos
```console
ren c:\bootmgr bootmgr.old
```
@ -232,6 +240,7 @@ If the system gets stuck during the kernel phase, you experience multiple sympto
- A Stop error appears after the splash screen (Windows Logo screen).
- Specific error code is displayed.
For example, "0x00000C2" , "0x0000007B" , "inaccessible boot device" and so on.
- [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](./troubleshoot-inaccessible-boot-device.md)
- [Advanced troubleshooting for Event ID 41 "The system has rebooted without cleanly shutting down first"](troubleshoot-event-id-41-restart.md)
@ -319,19 +328,21 @@ To fix problems that occur after you install Windows updates, check for pending
1. Open a Command Prompt window in WinRE.
2. Run the command:
```dos
```console
DISM /image:C:\ /get-packages
```
3. If there are any pending updates, uninstall them by running the following commands:
```dos
```console
DISM /image:C:\ /remove-package /packagename: name of the package
```
```dos
```console
DISM /Image:C:\ /Cleanup-Image /RevertPendingActions
```
Try to start the computer.
Try to start the computer.
If the computer does not start, follow these steps:
@ -379,14 +390,18 @@ If the dump file shows an error that is related to a driver (for example, window
- If the driver is not important and has no dependencies, load the system hive, and then disable the driver.
- If the stop error indicates system file corruption, run the system file checker in offline mode.
- To do this, open WinRE, open a command prompt, and then run the following command:
```dos
```console
SFC /Scannow /OffBootDir=C:\ /OffWinDir=E:\Windows
```
For more information, see [Using System File Checker (SFC) To Fix Issues](/archive/blogs/askcore/using-system-file-checker-sfc-to-fix-issues)
- If there is disk corruption, run the check disk command:
```dos
```console
chkdsk /f /r
```

7
windows/client-management/mdm/policy-csp-localusersandgroups.md
View File

@ -125,7 +125,7 @@ See [Use custom settings for Windows 10 devices in Intune](/mem/intune/configura
Example 1: AAD focused.
The following example updates the built-in administrators group with AAD account "bob@contoso.com" and an Azure AD group with the SID **S-1-12-1-111111111-22222222222-3333333333-4444444444. On an AAD joined machines**.
The following example updates the built-in administrators group with AAD account "bob@contoso.com" and an Azure AD group with the SID **S-1-12-1-111111111-22222222222-3333333333-4444444444** on an AAD-joined machine.
```xml
<GroupConfiguration>
@ -239,7 +239,7 @@ To troubleshoot Name/SID lookup APIs:
1. Enable **lsp.log** on the client device by running the following commands:
```cmd
```powershell
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name LspDbgInfoLevel -Value 0x800 -Type dword -Force
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name LspDbgTraceOptions -Value 0x1 -Type dword -Force
@ -249,11 +249,12 @@ To troubleshoot Name/SID lookup APIs:
2. Turn the logging off by running the following command:
```cmd
```powershell
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name LspDbgInfoLevel -Value 0x0 -Type dword -Force
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name LspDbgTraceOptions -Value 0x0 -Type dword -Force
```
```xml
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" version="1.0">
<xs:simpleType name="name">

3
windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
View File

@ -661,6 +661,9 @@ After some time, you will have a Windows 10 Enterprise x64 image that is fully
## Troubleshooting
> [!IMPORTANT]
> If you encounter errors applying the image when using a BIOS firmware type, see [Windows 10 deployments fail with Microsoft Deployment Toolkit on computers with BIOS type firmware](https://support.microsoft.com/topic/windows-10-deployments-fail-with-microsoft-deployment-toolkit-on-computers-with-bios-type-firmware-70557b0b-6be3-81d2-556f-b313e29e2cb7). This
If you [enabled monitoring](#enable-monitoring), you can check the progress of the task sequence.
![monitoring](../images/mdt-monitoring.png)

3
windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
View File

@ -87,6 +87,8 @@ Visit the [Download and install the Windows ADK](/windows-hardware/get-started/a
- [The Windows ADK for Windows 10](https://go.microsoft.com/fwlink/?linkid=2086042)
- [The Windows PE add-on for the ADK](https://go.microsoft.com/fwlink/?linkid=2087112)
- [The Windows System Image Manager (WSIM) 1903 update](https://go.microsoft.com/fwlink/?linkid=2095334)
- (Optional) [The MDT_KB4564442 patch for BIOS firmware](https://download.microsoft.com/download/3/0/6/306AC1B2-59BE-43B8-8C65-E141EF287A5E/KB4564442/MDT_KB4564442.exe)
- This patch is needed to resolve a bug that causes detection of BIOS-based machines as UEFI-based machines. If you have a UEFI deployment, you do not need this patch.
>[!TIP]
>You might need to temporarily disable IE Enhanced Security Configuration for administrators in order to download files from the Internet to the server. This setting can be disabled by using Server Manager (Local Server/Properties).
@ -97,6 +99,7 @@ Visit the [Download and install the Windows ADK](/windows-hardware/get-started/a
3. Start the **WinPE Setup** (D:\\Downloads\\ADK\\adkwinpesetup.exe), click **Next** twice to accept the default installation parameters, click **Accept** to accept the license agreement, and then on the **Select the features you want to install** page click **Install**. This will install Windows PE for x86, AMD64, ARM, and ARM64. Verify that the installation completes successfully before moving to the next step.
4. Extract the **WSIM 1903 update** (D:\\Downloads\ADK\\WSIM1903.zip) and then run the **UpdateWSIM.bat** file.
- You can confirm that the update is applied by viewing properties of the ImageCat.exe and ImgMgr.exe files at **C:\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Deployment Tools\\WSIM** and verifying that the **Details** tab displays a **File version** of **10.0.18362.144** or later.
5. If you downloaded the optional MDT_KB4564442 patch for BIOS based deployment, see [this support article](https://support.microsoft.com/en-us/topic/windows-10-deployments-fail-with-microsoft-deployment-toolkit-on-computers-with-bios-type-firmware-70557b0b-6be3-81d2-556f-b313e29e2cb7) for instructions on how to install the patch.
## Install and initialize Windows Deployment Services (WDS)

6
windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md
View File

@ -21,8 +21,8 @@ ms.technology: mde
The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. Microsoft Defender Application Guard is designed to help prevent old, and newly emerging attacks, to help keep employees productive.
>[!NOTE]
>Microsoft Defender Application Guard is not supported on VMs and VDI environment. For testing and automation on non-production machines, you may enable WDAG on a VM by enabling Hyper-V nested virtualization on the host.
> [!NOTE]
> Given the technological complexity, the security promise of Microsoft Defender Application Guard (MDAG) may not hold true on VMs and in VDI environments. Hence, MDAG is currently not officially supported on VMs and in VDI environments. However, for testing and automation purposes on non-production machines, you may enable MDAG on a VM by enabling Hyper-V nested virtualization on the host.
## Hardware requirements
Your environment needs the following hardware to run Microsoft Defender Application Guard.
@ -42,4 +42,4 @@ Your environment needs the following software to run Microsoft Defender Applicat
|--------|-----------|
|Operating system|Windows 10 Enterprise edition, version 1709 or higher<br>Windows 10 Professional edition, version 1803 or higher<br>Windows 10 Professional for Workstations edition, version 1803 or higher<br>Windows 10 Professional Education edition version 1803 or higher<br>Windows 10 Education edition, version 1903 or higher<br>Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with WDAG for Professional editions. |
|Browser|Microsoft Edge and Internet Explorer|
|Management system<br> (only for managed devices)|[Microsoft Intune](/intune/)<br><br>**-OR-**<br><br>[Microsoft Endpoint Configuration Manager](/configmgr/)<br><br>**-OR-**<br><br>[Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11))<br><br>**-OR-**<br><br>Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.|
|Management system<br> (only for managed devices)|[Microsoft Intune](/intune/)<br><br>**-OR-**<br><br>[Microsoft Endpoint Configuration Manager](/configmgr/)<br><br>**-OR-**<br><br>[Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11))<br><br>**-OR-**<br><br>Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.|

43
windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md
View File

@ -14,14 +14,14 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
ms.date: 05/19/2021
ms.technology: mde
---
# Deny access to this computer from the network
**Applies to**
- Windows 10
- Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Deny access to this computer from the network** security policy setting.
@ -33,12 +33,12 @@ Constant: SeDenyNetworkLogonRight
### Possible values
- User-defined list of accounts
- Guest
- User-defined list of accounts
- Guest
### Best practices
- Because all Active Directory Domain Services programs use a network logon for access, use caution when you assign this user right on domain controllers.
- Because all Active Directory Domain Services programs use a network logon for access, use caution when you assign this user right on domain controllers.
### Location
@ -53,13 +53,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or GPO | Default value |
| - | - |
| Default Domain Policy | Not defined |
| Default Domain Controller Policy | Guest |
| Stand-Alone Server Default Settings | Guest |
| Domain Controller Effective Default Settings | Guest |
| Member Server Effective Default Settings | Guest |
| Client Computer Effective Default Settings | Guest |
| Default Domain Policy | Not defined |
| Default Domain Controller Policy | Guest |
| Stand-Alone Server Default Settings | Guest |
| Domain Controller Effective Default Settings | Guest |
| Member Server Effective Default Settings | Guest |
| Client Computer Effective Default Settings | Guest |
## Policy management
This section describes features and tools available to help you manage this policy.
@ -74,10 +74,10 @@ Any change to the user rights assignment for an account becomes effective the ne
Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
1. Local policy settings
2. Site policy settings
3. Domain policy settings
4. OU policy settings
1. Local policy settings
2. Site policy settings
3. Domain policy settings
4. OU policy settings
When a local setting is greyed out, it indicates that a GPO currently controls that setting.
@ -93,13 +93,16 @@ Users who can log on to the device over the network can enumerate lists of accou
Assign the **Deny access to this computer from the network** user right to the following accounts:
- Anonymous logon
- Built-in local Administrator account
- Local Guest account
- All service accounts
- Anonymous logon
- Built-in local Administrator account
- Local Guest account
- All service accounts
An important exception to this list is any service accounts that are used to start services that must connect to the device over the network. For example, lets say you have configured a shared folder for web servers to access, and you present content within that folder through a website. You may need to allow the account that runs IIS to log on to the server with the shared folder from the network. This user right is particularly effective when you must configure servers and workstations on which sensitive information is handled because of regulatory compliance concerns.
> [!NOTE]
> If the service account is configured in the logon properties of a Windows service, it requires network logon rights to the domain controllers to start properly.
### Potential impact
If you configure the **Deny access to this computer from the network** user right for other accounts, you could limit the abilities of users who are assigned to specific administrative roles in your environment. You should verify that delegated tasks are not negatively affected.

21
windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md
View File

@ -32,7 +32,6 @@ This topic covers how to disable unsigned or signed WDAC policies.
There may come a time when an administrator wants to disable a WDAC policy. For unsigned WDAC policies, this process is simple. The method used to deploy the policy (such as Group Policy) must first be disabled, then simply delete the SIPolicy.p7b policy file from the following locations, and the WDAC policy will be disabled on the next computer restart:
- &lt;EFI System Partition&gt;\\Microsoft\\Boot\\
- &lt;OS Volume&gt;\\Windows\\System32\\CodeIntegrity\\
Note that as of the Windows 10 May 2019 Update (1903), WDAC allows multiple policies to be deployed to a device. To fully disable WDAC when multiple policies are in effect, you must first disable each method being used to deploy a policy. Then delete the {Policy GUID}.cip policy files found in the \CIPolicies\Active subfolder under each of the paths listed above in addition to any SIPolicy.p7b file found in the root directory.
@ -43,21 +42,22 @@ Signed policies protect Windows from administrative manipulation as well as malw
> [!NOTE]
> For reference, signed WDAC policies should be replaced and removed from the following locations:
- &lt;EFI System Partition&gt;\\Microsoft\\Boot\\
- &lt;OS Volume&gt;\\Windows\\System32\\CodeIntegrity\\
>
> * &lt;EFI System Partition&gt;\\Microsoft\\Boot\\
> * &lt;OS Volume&gt;\\Windows\\System32\\CodeIntegrity\\
1. Replace the existing policy with another signed policy that has the **6 Enabled: Unsigned System Integrity Policy** rule option enabled.
> **Note**&nbsp;&nbsp;To take effect, this policy must be signed with a certificate previously added to the **UpdatePolicySigners** section of the original signed policy you want to replace.
> [!NOTE]
> To take effect, this policy must be signed with a certificate previously added to the **UpdatePolicySigners** section of the original signed policy you want to replace.
2. Restart the client computer.
3. Verify that the new signed policy exists on the client.
> **Note**&nbsp;&nbsp;If the signed policy that contains rule option 6 has not been processed on the client, the addition of an unsigned policy may cause boot failures.
> [!NOTE]
> If the signed policy that contains rule option 6 has not been processed on the client, the addition of an unsigned policy may cause boot failures.
4. Delete the new policy.
@ -67,13 +67,15 @@ If the signed WDAC policy has been deployed using by using Group Policy, you mus
1. Replace the existing policy in the GPO with another signed policy that has the **6 Enabled: Unsigned System Integrity Policy** rule option enabled.
> **Note**&nbsp;&nbsp;To take effect, this policy must be signed with a certificate previously added to the **UpdatePolicySigners** section of the original signed policy you want to replace.
> [!NOTE]
> To take effect, this policy must be signed with a certificate previously added to the **UpdatePolicySigners** section of the original signed policy you want to replace.
2. Restart the client computer.
3. Verify that the new signed policy exists on the client.
> **Note**&nbsp;&nbsp;If the signed policy that contains rule option 6 has not been processed on the client, the addition of an unsigned policy may cause boot failures.
> [!NOTE]
> If the signed policy that contains rule option 6 has not been processed on the client, the addition of an unsigned policy may cause boot failures.
4. Set the GPO to disabled.
@ -86,5 +88,4 @@ If the signed WDAC policy has been deployed using by using Group Policy, you mus
There may be a time when signed WDAC policies cause a boot failure. Because WDAC policies enforce kernel mode drivers, it is important that they be thoroughly tested on each software and hardware configuration before being enforced and signed. Signed WDAC policies are validated in the pre-boot sequence by using Secure Boot. When you disable the Secure Boot feature in the BIOS, and then delete the file from the following locations on the operating system disk, it allows the system to boot into Windows:
- &lt;EFI System Partition&gt;\\Microsoft\\Boot\\
- &lt;OS Volume&gt;\\Windows\\System32\\CodeIntegrity\\

17
windows/sv/index.md
View File

@ -1 +1,16 @@
# Welcome to SV!
---
title: No title
description: No description
keywords: ["Windows 10"]
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
audience: itpro
author: greg-lindsay
ms.author: greglin
manager: laurawi
ms.localizationpriority: high
ms.topic: article
---
# _