| Product name | +App info | +
|---|---|
Microsoft Edge |
+Publisher: Product Name: Microsoft.MicrosoftEdge +App Type: Universal App |
+
IE11 |
+Publisher: File Name: iexplore.exe +App Type: Desktop App |
+
Microsoft People |
+Publisher: Product Name: Microsoft.People +App Type: Universal App |
+
Word Mobile |
+Publisher: Product Name: Microsoft.Office.Word +App Type: Universal App |
+
Excel Mobile |
+Publisher: Product Name: Microsoft.Office.Excel +App Type: Universal App |
+
PowerPoint Mobile |
+Publisher: Product Name: Microsoft.Office.PowerPoint +App Type: Universal App |
+
OneNote |
+Publisher: Product Name: Microsoft.Office.OneNote +App Type: Universal App |
+
Outlook Mail and Calendar |
+Publisher: Product Name: microsoft.windowscommunicationsapps +App Type: Universal App |
+
Microsoft Photos |
+Publisher: Product Name: Microsoft.Windows.Photos +App Type: Universal AppMicrosoft.Windows.Photos |
+
Microsoft OneDrive |
+Publisher: Product Name: microsoft.microsoftskydrive +App Type: Universal App |
+
Groove Music |
+Publisher: Product Name: Microsoft.ZuneMusic +App Type: Universal App |
+
Notepad |
+Publisher: File Name: notepad.exe +App Type: Desktop App |
+
Microsoft Paint |
+Publisher: File Name: mspaint.exe +App Type: Desktop App |
+
Microsoft Movies & TV |
+Publisher: Product Name: Microsoft.ZuneVideo +App Type: Universal App |
+
Microsoft Messaging |
+Publisher: Product Name: Microsoft.Messaging +App Type: Universal App |
+
| Topic | +Description | +
|---|---|
[Enlightened apps for use with enterprise data protection (EDP)](enlightened-microsoft-apps-and-edp.md)) |
+Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your Protected Apps list. |
+
[Testing scenarios for enterprise data protection (EDP)](testing-scenarios-for-edp.md)) |
+We've come up with a list of suggested testing scenarios that you can use to test EDP in your company. |
+
| Policy | -Options | -|
|---|---|---|
| Use Microsoft Passport for Work | -- |
- Not configured: Users can provision Passport for Work, which encrypts their domain password. -Enabled: Device provisions Passport for Work using keys or certificates for all users. -Disabled: Device does not provision Passport for Work for any user. - |
-
| Use a hardware security device | -- |
- Not configured: Passport for Work will be provisioned using TPM if available, and will be provisioned using software if TPM is not available. -Enabled: Passport for Work will only be provisioned using TPM. -Disabled: Passport for Work will be provisioned using TPM if available, and will be provisioned using software if TPM is not available. - |
-
| Use biometrics | -- |
- Not configured: Biometrics can be used as a gesture in place of a PIN. -Enabled: Biometrics can be used as a gesture in place of a PIN. -Disabled: Only a PIN can be used as a gesture. - |
-
| PIN Complexity | -Require digits | -
- Not configured: Users must include a digit in their PIN. -Enabled: Users must include a digit in their PIN. -Disabled: Users cannot use digits in their PIN. - |
-
| Require lowercase letters | -
- Not configured: Users cannot use lowercase letters in their PIN. -Enabled: Users must include at least one lowercase letter in their PIN. -Disabled: Users cannot use lowercase letters in their PIN. - |
-|
| Maximum PIN length | -
- Not configured: PIN length must be less than or equal to 127. -Enabled: PIN length must be less than or equal to the number you specify. -Disabled: PIN length must be less than or equal to 127. - |
-|
| Minimum PIN length | -
- Not configured: PIN length must be greater than or equal to 4. -Enabled: PIN length must be greater than or equal to the number you specify. -Disabled: PIN length must be greater than or equal to 4. - |
-|
| Expiration | -
- Not configured: PIN does not expire. -Enabled: PIN can be set to expire after any number of days between 1 and 730, or PIN can be set to never expire by setting policy to 0. -Disabled: PIN does not expire. - |
-|
| History | -
- Not configured: Previous PINs are not stored. -Enabled: Specify the number of previous PINs that can be associated to a user account that can't be reused. -Disabled: Previous PINs are not stored. -Note Current PIN is included in PIN history.
- |
-|
| Require special characters | -
- Not configured: Users cannot include a special character in their PIN. -Enabled: Users must include at least one special character in their PIN. -Disabled: Users cannot include a special character in their PIN. - |
-|
| Require uppercase letters | -
- Not configured: Users cannot include an uppercase letter in their PIN. -Enabled: Users must include at least one uppercase letter in their PIN. -Disabled: Users cannot include an uppercase letter in their PIN. - |
-|
| Remote Passport | -
- Use Remote Passport -Note Applies to desktop only. Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
- |
-
- Not configured: Remote Passport is disabled. -Enabled: Users can use a portable, registered device as a companion device for desktop authentication. -Disabled: Remote Passport is disabled. - |
-
This topic lists new and updated topics in the Keep Windows 10 secure documentation for [Windows 10 and Windows 10 Mobile](../index.md).
[Block untrusted fonts in an enterprise](block-untrusted-fonts-in-an-enterprise.md)
[Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md))
To help protect your company from attacks which may originate from untrusted or attacker controlled font files, we’ve created the Blocking Untrusted Fonts feature. Using this feature, you can turn on a global setting that stops your employees from loading untrusted fonts processed using the Graphics Device Interface (GDI) onto your network. Untrusted fonts are any font installed outside of the %windir%/Fonts directory. Blocking untrusted fonts helps prevent both remote (web-based or email-based) and local EOP attacks that can happen during the font file-parsing process.
In Windows 10, Microsoft Passport replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a Windows Hello (biometric) or PIN.
[Windows Hello biometrics in the enterprise](windows-hello-biometrics-in-the-enterprise.md)
[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md))
Windows Hello is the biometric authentication feature that helps strengthen authentication and helps to guard against potential spoofing through fingerprint matching and facial recognition.
Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard prevents these attacks by protecting NTLM password hashes and Kerberos Ticket Granting Tickets.
[Protect your enterprise data using enterprise data protection (EDP)](protect-enterprise-data-using-edp.md))
With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures to their personal email account, copies and pastes product info to a public Yammer group or tweet, or saves an in-progress sales report to their public cloud storage.
[Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md)
Learn about an approach to collect events from devices in your organization. This article talks about events in both normal operations and when an intrusion is suspected.
[VPN profile options](vpn-profile-options.md)
Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect.
[Security technologies](security-technologies.md)
Learn more about the different security technologies that are available in Windows 10 and Windows 10 Mobile.
[Enterprise security guides](enterprise-security-guides-portal.md)
[Enterprise security guides](windows-10-enterprise-security-guides.md)
Get proven guidance to help you better secure and protect your enterprise by using technologies such as Credential Guard, Device Guard, Microsoft Passport, and Windows Hello. This section offers technology overviews and step-by-step guides.
| Topic | +Description | +
|---|---|
[Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md)) |
+Intune helps you create and deploy your EDP policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network. |
+
[Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md)) |
+Configuration Manager (version 1511 or later) helps you create and deploy your EDP policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network. |
+
| Operating System | +Management solution | +
|---|---|
Windows 10 Insider Preview |
+Microsoft Intune +-OR- +System Center Configuration Manager (version 1511 or later) +-OR- +Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [Custom URI - Policy CSP](http://go.microsoft.com/fwlink/?LinkID=733963) documentation. |
+
| Mode | +Description | +
|---|---|
Block |
+EDP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise. |
+
Override |
+EDP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](http://go.microsoft.com/fwlink/p/?LinkID=746459). |
+
Silent |
+EDP runs silently, logging inappropriate data sharing, without blocking anything. |
+
Off |
+EDP is turned off and doesn't help to protect or audit your data. +After you turn off EDP, an attempt is made to decrypt any closed EDP-tagged files on the locally attached drives. |
+
| EDP scenario | +Without Azure Rights Management | +Workaround | +
|---|---|---|
Saving enterprise data to USB drives |
+Data in the new location remains encrypted, but becomes inaccessible on other devices or for other users. For example, the file won't open or the file opens, but doesn't contain readable text. |
+Share files with fellow employees through enterprise file servers or enterprise cloud locations. If data must be shared via USB, employees can decrypt protected files, but it will be audited. +We strongly recommend educating employees about how to limit or eliminate the need for this decryption. |
+
Sharing enterprise data through email attachments |
+The attachment is sent unprotected. |
+Store documents on enterprise cloud or network sites, and share links. |
+
Synchronizing data to other services or public cloud storage |
+Synchronized files aren't protected on additional services or as part of public cloud storage. |
+Stop the app from synchronizing or don't add the app to your Protected App list. +For more info about adding apps to the Protected Apps list, see either the [Create an enterprise data protection (EDP) policy using Intune](create-edp-policy-using-intune.md)) or the [Create and deploy an enterprise data protection (EDP) policy using Configuration Manager](create-edp-policy-using-sccm.md)) topic, depending on your management solution. |
+
Describes the best practices, location, values, management practices, and security considerations for the Audit: Shut down system immediately if unable to log security audits security policy setting.
[DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax](dcom-machine-access-restrictions-in-security-descriptor-definition-language--sddl--syntax.md)
[DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax](dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md)
Describes the best practices, location, values, and security considerations for the DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax policy setting.
[DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax](dcom-machine-launch-restrictions-in-security-descriptor-definition-language--sddl--syntax.md)
[DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax](dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md)
Describes the best practices, location, values, and security considerations for the DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax security policy setting.
Describes the best practices, location, values, and security considerations for the Domain controller: Refuse machine account password changes security policy setting.
[Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data--always.md)
[Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md)
Describes the best practices, location, values, and security considerations for the Domain member: Digitally encrypt or sign secure channel data (always) security policy setting.
[Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data--when-possible.md)
[Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md)
Describes the best practices, location, values, and security considerations for the Domain member: Digitally encrypt secure channel data (when possible) security policy setting.
[Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data--when-possible.md)
[Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md)
Describes the best practices, location, values, and security considerations for the Domain member: Digitally sign secure channel data (when possible) security policy setting.
Describes the best practices, location, values, and security considerations for the Domain member: Maximum machine account password age security policy setting.
[Domain member: Require strong (Windows 2000 or later) session key](domain-member-require-strong--windows-2000-or-later--session-key.md)
[Domain member: Require strong (Windows 2000 or later) session key](domain-member-require-strong-windows-2000-or-later-session-key.md)
Describes the best practices, location, values, and security considerations for the Domain member: Require strong (Windows 2000 or later) session key security policy setting.
Describes the best practices, location, values, policy management and security considerations for the Interactive logon: Message title for users attempting to log on security policy setting.
[Interactive logon: Number of previous logons to cache (in case domain controller is not available)](interactive-logon-number-of-previous-logons-to-cache--in-case-domain-controller-is-not-available.md)
[Interactive logon: Number of previous logons to cache (in case domain controller is not available)](interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md)
Describes the best practices, location, values, policy management and security considerations for the Interactive logon: Number of previous logons to cache (in case domain controller is not available) security policy setting.
Describes the best practices, location, values, policy management and security considerations for the Interactive logon: Smart card removal behavior security policy setting.
[Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications--always.md)
[Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md)
Describes the best practices, location, values, policy management and security considerations for the Microsoft network client: Digitally sign communications (always) security policy setting.
[Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications--if-server-agrees.md)
[Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md)
Describes the best practices, location, values, and security considerations for the Microsoft network client: Digitally sign communications (if server agrees) security policy setting.
Describes the best practices, location, values, management, and security considerations for the Microsoft network server: Attempt S4U2Self to obtain claim information security policy setting.
[Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications--always.md)
[Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md)
Describes the best practices, location, values, policy management and security considerations for the Microsoft network server: Digitally sign communications (always) security policy setting.
[Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications--if-client-agrees.md)
[Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md)
Describes the best practices, location, values, policy management and security considerations for the Microsoft network server: Digitally sign communications (if client agrees) security policy setting.
This security policy reference topic for the IT professional describes the best practices, location, values, policy management and security considerations for this policy setting. This information applies to computers running at least the Windows Server 2008 operating system.
[Network security: Minimum session security for NTLM SSP based (including secure RPC) clients](network-security-minimum-session-security-for-ntlm-ssp-based--including-secure-rpc--clients.md)
[Network security: Minimum session security for NTLM SSP based (including secure RPC) clients](network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md)
Describes the best practices, location, values, policy management and security considerations for the Network security: Minimum session security for NTLM SSP based (including secure RPC) clients security policy setting.
[Network security: Minimum session security for NTLM SSP based (including secure RPC) servers](network-security-minimum-session-security-for-ntlm-ssp-based--including-secure-rpc--servers.md)
[Network security: Minimum session security for NTLM SSP based (including secure RPC) servers](network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md)
Describes the best practices, location, values, policy management and security considerations for the Network security: Minimum session security for NTLM SSP based (including secure RPC) servers security policy setting.
Describes the best practices, location, values, policy management and security considerations for the System objects: Require case insensitivity for non-Windows subsystems security policy setting.
[System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)](system-objects-strengthen-default-permissions-of-internal-system-objects--eg-symbolic-links.md)
[System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)](system-objects-strengthen-default-permissions-of-internal-system-objects.md)
Describes the best practices, location, values, policy management and security considerations for the System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) security policy setting.
[AppLocker](applocker-overview-server.md)
[AppLocker](applocker-overview.md)
This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.
[BitLocker](bitlocker-overview-roletech-overview.md)
[BitLocker](bitlocker-overview.md)
This topic provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features.
Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management.
[Security auditing](security-auditing-overview-glbl.md)
[Security auditing](security-auditing-overview.md)
Topics in this section are for IT professionals and describes the security auditing features in Windows and how your organization can benefit from using these technologies to enhance the security and manageability of your network.
This reference topic describes the common scenarios, architecture, and processes for security settings.
[Trusted Platform Module](trusted-platform-module-technology-overview.md)
[Trusted Platform Module](trusted-platform-module-overview.md)
This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication. The topic provides links to other resources about the TPM.
| Scenario | +Processes | +Notes | +
|---|---|---|
Automatically encrypt files from enterprise apps |
+
|
+Be aware that some file types, like .exe and .dll, along with some file paths, like |
+
Block enterprise data from non-enterprise apps |
+
|
++ |
Copy and paste from enterprise apps to non-enterprise apps |
+
|
++ |
Drag and drop from enterprise apps to non-enterprise apps |
+
|
++ |
Share between enterprise apps and non-enterprise apps |
+
|
++ |
Use the Encrypt to functionality |
+
|
++ |
Verify that Windows system components can use EDP |
+
|
+Most Windows-signed components like Windows Explorer (when running in the user’s context), should have access to enterprise data. +A few notable exceptions include some of the user-facing in-box apps, like Wordpad, Notepad, and Microsoft Paint. These apps don't have access by default, but can be added to your Protected Apps list. |
+
Use EDP on FAT/exFAT systems |
+
|
++ |
Use EDP on NTFS systems |
+
|
+Please pay attention and report any performance issues or slow-downs on the NTFS file system. +Currently, EFS Performance Optimizations are only enabled on NTFS. |
+
Unenroll client devices from EDP |
+
|
+WARNING +Unenrolling a device revokes and erases all of the enterprise data for the managed account. |
+
Verify that app content is protected when a Windows 10 Mobile phone is locked (also known as, Data Protection under Lock (DPL)) |
+Check that protected app data doesn't appear on the Lock screen of a Windows 10 Mobile phone. |
+Additional requirements to run DPL: +
|
+
| Event ID: 1000 | -
- Symbolic name: - |
-
- MALWAREPROTECTION_SCAN_STARTED - |
-||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
- Message: - |
-
- An antimalware scan started. - - |
-|||||||||||||||||||||
|
- Description: - |
-
- -
|
-|||||||||||||||||||||
| Event ID: 1001 | -
- Symbolic name: - |
-
- MALWAREPROTECTION_SCAN_COMPLETED - |
-||||||||||||||||||||
|
- Message: - |
-
- An antimalware scan finished. - |
-|||||||||||||||||||||
|
- Description: - |
-
- -
|
-|||||||||||||||||||||
| Event ID: 1002 | -
- Symbolic name: - |
-
- MALWAREPROTECTION_SCAN_CANCELLED - - |
-||||||||||||||||||||
|
- Message: - |
-
- An antimalware scan was stopped before it finished. - - |
-|||||||||||||||||||||
|
- Description: - |
-
- -
|
-|||||||||||||||||||||
| Event ID: 1003 | -
- Symbolic name: - |
-
- MALWAREPROTECTION_SCAN_PAUSED - - |
-||||||||||||||||||||
|
- Message: - |
-
- An antimalware scan was paused. - - |
-|||||||||||||||||||||
|
- Description: - |
-
- -
|
-|||||||||||||||||||||
| Event ID: 1004 | -
- Symbolic name: - |
-
- MALWAREPROTECTION_SCAN_RESUMED - - |
-||||||||||||||||||||
|
- Message: - |
-
- An antimalware scan was resumed. - - |
-|||||||||||||||||||||
|
- Description: - |
-
- -
|
-|||||||||||||||||||||
| Event ID: 1005 | -
- Symbolic name: - |
-
- MALWAREPROTECTION_SCAN_FAILED - - |
-||||||||||||||||||||
|
- Message: - |
-
- An antimalware scan failed. - - |
-|||||||||||||||||||||
|
- Description: - |
-
- -
|
-|||||||||||||||||||||
|
- User action: - |
-
- The Windows Defender client encountered an error, and the current scan has stopped. The scan might fail due to a client-side issue. This event record includes the scan ID, type of scan (antivirus, antispyware, antimalware), scan parameters, the user that started the scan, the error code, and a description of the error. - -To troubleshoot this event: -
|
-|||||||||||||||||||||
| Event ID: 1006 | -
- Symbolic name: - |
-
- MALWAREPROTECTION_MALWARE_DETECTED - - |
-||||||||||||||||||||
|
- Message: - |
-
- The antimalware engine found malware or other potentially unwanted software. - - |
-|||||||||||||||||||||
|
- Description: - |
-
- - For more information please see the following: -
|
-|||||||||||||||||||||
| Event ID: 1007 | -
- Symbolic name: - |
-
- MALWAREPROTECTION_MALWARE_ACTION_TAKEN - - |
-||||||||||||||||||||
|
- Message: - |
-
- The antimalware platform performed an action to protect your system from malware or other potentially unwanted software. - - |
-|||||||||||||||||||||
|
- Description: - |
-
- - Windows Defender has taken action to protect this machine from malware or other potentially unwanted software. For more information please see the following: -
|
-|||||||||||||||||||||
| Event ID: 1008 | -
- Symbolic name: - |
-
- MALWAREPROTECTION_MALWARE_ACTION_FAILED - |
-||||||||||||||||||||
|
- Message: - |
-
- The antimalware platform attempted to perform an action to protect your system from malware or other potentially unwanted software, but the action failed. - |
-|||||||||||||||||||||
|
- Description: - |
-
- - Windows Defender has encountered an error when taking action on malware or other potentially unwanted software. For more information please see the following: -
|
-|||||||||||||||||||||
| Event ID: 1009 | -
- Symbolic name: - |
-
- MALWAREPROTECTION_QUARANTINE_RESTORE - - |
-||||||||||||||||||||
|
- Message: - |
-
- The antimalware platform restored an item from quarantine. - - |
-|||||||||||||||||||||
|
- Description: - |
-
- - Windows Defender has restored an item from quarantine. For more information please see the following: -
|
-|||||||||||||||||||||
| Event ID: 1010 | -
- Symbolic name: - |
-
- MALWAREPROTECTION_QUARANTINE_RESTORE_FAILED - - |
-||||||||||||||||||||
|
- Message: - |
-
- The antimalware platform could not restore an item from quarantine. - - |
-|||||||||||||||||||||
|
- Description: - |
-
- - Windows Defender has encountered an error trying to restore an item from quarantine. For more information please see the following: -
|
-|||||||||||||||||||||
| Event ID: 1011 | -
- Symbolic name: - |
-
- MALWAREPROTECTION_QUARANTINE_DELETE - |
-||||||||||||||||||||
|
- Message: - |
-
- The antimalware platform deleted an item from quarantine. - - |
-|||||||||||||||||||||
|
- Description: - |
-
- - Windows Defender has deleted an item from quarantine. -For more information please see the following: -
|
-|||||||||||||||||||||
| Event ID: 1012 | -
- Symbolic name: - |
-
- MALWAREPROTECTION_QUARANTINE_DELETE_FAILED - - |
-||||||||||||||||||||
|
- Message: - |
-
- The antimalware platform could not delete an item from quarantine. - |
-|||||||||||||||||||||
|
- Description: - |
-
- - Windows Defender has encountered an error trying to delete an item from quarantine. -For more information please see the following: -
|
-|||||||||||||||||||||
| Event ID: 1013 | -
- Symbolic name: - |
-
- MALWAREPROTECTION_MALWARE_HISTORY_DELETE - - |
-||||||||||||||||||||
|
- Message: - |
-
- The antimalware platform deleted history of malware and other potentially unwanted software. - |
-|||||||||||||||||||||
|
- Description: - |
-
- - Windows Defender has removed history of malware and other potentially unwanted software. -
|
-|||||||||||||||||||||
| Event ID: 1014 | -
- Symbolic name: - |
-
- MALWAREPROTECTION_MALWARE_HISTORY_DELETE_FAILED - - |
-||||||||||||||||||||
|
- Message: - |
-
- The antimalware platform could not delete history of malware and other potentially unwanted software. - |
-|||||||||||||||||||||
|
- Description: - |
-
- - Windows Defender has encountered an error trying to remove history of malware and other potentially unwanted software. -
|
-|||||||||||||||||||||
| Event ID: 1015 | -
- Symbolic name: - |
-
- MALWAREPROTECTION_BEHAVIOR_DETECTED - - |
-||||||||||||||||||||
|
- Message: - |
-
- The antimalware platform detected suspicious behavior. - |
-|||||||||||||||||||||
|
- Description: - |
-
- - Windows Defender has detected a suspicious behavior. -For more information please see the following: -
|
-|||||||||||||||||||||
| Event ID: 1116 | -
- Symbolic name: - |
-
- MALWAREPROTECTION_STATE_MALWARE_DETECTED - |
-||||||||||||||||||||
|
- Message: - |
-
- The antimalware platform detected malware or other potentially unwanted software. - - |
-|||||||||||||||||||||
|
- Description: - |
-
- - Windows Defender has detected malware or other potentially unwanted software. -For more information please see the following: -
|
-|||||||||||||||||||||
|
- User action: - |
-
- No action is required. Windows Defender can suspend and take routine action on this threat. If you want to remove the threat manually, in the Windows Defender interface, click Clean Computer. - |
-|||||||||||||||||||||
| Event ID: 1117 | -
- Symbolic name: - |
-
- MALWAREPROTECTION_STATE_MALWARE_ACTION_TAKEN - - |
-||||||||||||||||||||
|
- Message: - |
-
- The antimalware platform performed an action to protect your system from malware or other potentially unwanted software. - - |
-|||||||||||||||||||||
|
- Description: - |
-
- - Windows Defender has taken action to protect this machine from malware or other potentially unwanted software. -For more information please see the following: -
|
-|||||||||||||||||||||
|
- User action: - |
-
- No action is necessary. Windows Defender removed or quarantined a threat. - |
-|||||||||||||||||||||
| Event ID: 1118 | -
- Symbolic name: - |
-
- MALWAREPROTECTION_STATE_MALWARE_ACTION_FAILED - |
-||||||||||||||||||||
|
- Message: - |
-
- The antimalware platform attempted to perform an action to protect your system from malware or other potentially unwanted software, but the action failed. - - |
-|||||||||||||||||||||
|
- Description: - |
-
- - Windows Defender has encountered a non-critical error when taking action on malware or other potentially unwanted software. -For more information please see the following: -
|
-|||||||||||||||||||||
|
- User action: - |
-
- No action is necessary. Windows Defender failed to complete a task related to the malware remediation. This is not a critical failure. - |
-|||||||||||||||||||||
| Event ID: 1119 | -
- Symbolic name: - |
-
- MALWAREPROTECTION_STATE_MALWARE_ACTION_CRITICALLY_FAILED - - |
-||||||||||||||||||||
|
- Message: - |
-
- The antimalware platform encountered a critical error when trying to take action on malware or other potentially unwanted software. There are more details in the event message. - |
-|||||||||||||||||||||
|
- Description: - |
-
- - Windows Defender has encountered a critical error when taking action on malware or other potentially unwanted software. -For more information please see the following: -
|
-|||||||||||||||||||||
|
- User action: - |
-
- The Windows Defender client encountered this error due to critical issues. The endpoint might not be protected. Review the error description then follow the relevant User action steps below. +Event ID: 1000 +Symbolic name: + +**MALWAREPROTECTION\_SCAN\_STARTED** + +Message: + +**An antimalware scan started.** + +Description: + +Scan ID: <ID number of the relevant scan.> +Scan Type: <Scan type>, for example: +- Antivirus +- Antispyware +- Antimalware + +Scan Parameters: <Scan parameters>, for example: +- Full scan +- Quick scan +- Customer scan + +Scan Resources: <Resources (such as files/directories/BHO) that were scanned.> +User: <Domain>\\<User> +Event ID: 1001 +Symbolic name: + +**MALWAREPROTECTION\_SCAN\_COMPLETED** + +Message: + +**An antimalware scan finished.** + +Description: + +Scan ID: <ID number of the relevant scan.> +Scan Type: <Scan type>, for example: +- Antivirus +- Antispyware +- Antimalware + +Scan Parameters: <Scan parameters>, for example: +- Full scan +- Quick scan +- Customer scan + +User: <Domain>\\<User> +Scan Time: <The duration of a scan.> +Event ID: 1002 +Symbolic name: + +**MALWAREPROTECTION\_SCAN\_CANCELLED** + +Message: + +**An antimalware scan was stopped before it finished.** + +Description: + +Scan ID: <ID number of the relevant scan.> +Scan Type: <Scan type>, for example: +- Antivirus +- Antispyware +- Antimalware + +Scan Parameters: <Scan parameters>, for example: +- Full scan +- Quick scan +- Customer scan + +User: <Domain>\\<User> +Scan Time: <The duration of a scan.> +Event ID: 1003 +Symbolic name: + +**MALWAREPROTECTION\_SCAN\_PAUSED** + +Message: + +**An antimalware scan was paused.** + +Description: + +Scan ID: <ID number of the relevant scan.> +Scan Type: <Scan type>, for example: +- Antivirus +- Antispyware +- Antimalware + +Scan Parameters: <Scan parameters>, for example: +- Full scan +- Quick scan +- Customer scan + +User: <Domain>\\<User> +Event ID: 1004 +Symbolic name: + +**MALWAREPROTECTION\_SCAN\_RESUMED** + +Message: + +**An antimalware scan was resumed.** + +Description: + +Scan ID: <ID number of the relevant scan.> +Scan Type: <Scan type>, for example: +- Antivirus +- Antispyware +- Antimalware + +Scan Parameters: <Scan parameters>, for example: +- Full scan +- Quick scan +- Customer scan + +User: <Domain>\\<User> +Event ID: 1005 +Symbolic name: + +**MALWAREPROTECTION\_SCAN\_FAILED** + +Message: + +**An antimalware scan failed.** + +Description: + +Scan ID: <ID number of the relevant scan.> +Scan Type: <Scan type>, for example: +- Antivirus +- Antispyware +- Antimalware + +Scan Parameters: <Scan parameters>, for example: +- Full scan +- Quick scan +- Customer scan + +User: <Domain>\\<User> +Error Code: <Error code> Result code associated with threat status. Standard HRESULT values. +Error Description: <Error description> Description of the error. +User action: + +The Windows Defender client encountered an error, and the current scan has stopped. The scan might fail due to a client-side issue. This event record includes the scan ID, type of scan (antivirus, antispyware, antimalware), scan parameters, the user that started the scan, the error code, and a description of the error. + +To troubleshoot this event: + +1. Run the scan again. +2. If it fails in the same way, go to the [Microsoft Support site](http://go.microsoft.com/fwlink/?LinkId=215163), enter the error number in the **Search** box to look for the error code. +3. Contact [Microsoft Technical Support](http://go.microsoft.com/fwlink/?LinkId=215491). + +Event ID: 1006 +Symbolic name: + +**MALWAREPROTECTION\_MALWARE\_DETECTED** + +Message: + +**The antimalware engine found malware or other potentially unwanted software.** + +Description: + +For more information please see the following: + +Name: <Threat name> +ID: <Threat ID> +Severity: <Severity>, for example: +- Low +- Moderate +- High +- Severe + +Category: <Category description>, for example, any threat or malware type. +Path: <File path> +Detection Origin: <Detection origin>, for example: +- Unknown +- Local computer +- Network share +- Internet +- Incoming traffic +- Outgoing traffic + +Detection Type: <Detection type>, for example: +- Heuristics +- Generic +- Concrete +- Dynamic signature + +Detection Source: <Detection source> for example: +- User: user initiated +- System: system initiated +- Real-time: real-time component initiated +- IOAV: IE Downloads and Outlook Express Attachments initiated +- NIS: Network inspection system +- IEPROTECT: IE - IExtensionValidation; this protects against malicious webpage controls +- Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence +- Remote attestation + +Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well. UAC +Status: <Status> +User: <Domain>\\<User> +Process Name: <Process in the PID> +Signature Version: <Definition version> +Engine Version: <Antimalware Engine version> +Event ID: 1007 +Symbolic name: + +**MALWAREPROTECTION\_MALWARE\_ACTION\_TAKEN** + +Message: + +**The antimalware platform performed an action to protect your system from malware or other potentially unwanted software.** + +Description: + +Windows Defender has taken action to protect this machine from malware or other potentially unwanted software. For more information please see the following: + +User: <Domain>\\<User> +Name: <Threat name> +ID: <Threat ID> +Severity: <Severity>, for example: +- Low +- Moderate +- High +- Severe + +Category: <Category description>, for example, any threat or malware type. +Action: <Action>, for example: +- Clean: The resource was cleaned +- Quarantine: The resource was quarantined +- Remove: The resource was deleted +- Allow: The resource was allowed to execute/exist +- User defined: User defined action which is normally one from this list of actions that the user has specified +- No action: No action +- Block: The resource was blocked from executing + +Status: <Status> +Signature Version: <Definition version> +Engine Version: <Antimalware Engine version> +Event ID: 1008 +Symbolic name: + +**MALWAREPROTECTION\_MALWARE\_ACTION\_FAILED** + +Message: + +**The antimalware platform attempted to perform an action to protect your system from malware or other potentially unwanted software, but the action failed.** + +Description: + +Windows Defender has encountered an error when taking action on malware or other potentially unwanted software. For more information please see the following: + +User: <Domain>\\<User> +Name: <Threat name> +ID: <Threat ID> +Severity: <Severity>, for example: +- Low +- Moderate +- High +- Severe + +Category: <Category description>, for example, any threat or malware type. +Path: <File path> +Action: <Action>, for example: +- Clean: The resource was cleaned +- Quarantine: The resource was quarantined +- Remove: The resource was deleted +- Allow: The resource was allowed to execute/exist +- User defined: User defined action which is normally one from this list of actions that the user has specified +- No action: No action +- Block: The resource was blocked from executing + +Error Code: <Error code> Result code associated with threat status. Standard HRESULT values. +Error Description: <Error description> Description of the error. +Status: <Status> +Signature Version: <Definition version> +Engine Version: <Antimalware Engine version> +Event ID: 1009 +Symbolic name: + +**MALWAREPROTECTION\_QUARANTINE\_RESTORE** + +Message: + +**The antimalware platform restored an item from quarantine.** + +Description: + +Windows Defender has restored an item from quarantine. For more information please see the following: + +Name: <Threat name> +ID: <Threat ID> +Severity: <Severity>, for example: +- Low +- Moderate +- High +- Severe + +Category: <Category description>, for example, any threat or malware type. +Path: <File path> +User: <Domain>\\<User> +Signature Version: <Definition version> +Engine Version: <Antimalware Engine version> +Event ID: 1010 +Symbolic name: + +**MALWAREPROTECTION\_QUARANTINE\_RESTORE\_FAILED** + +Message: + +**The antimalware platform could not restore an item from quarantine.** + +Description: + +Windows Defender has encountered an error trying to restore an item from quarantine. For more information please see the following: + +Name: <Threat name> +ID: <Threat ID> +Severity: <Severity>, for example: +- Low +- Moderate +- High +- Severe + +Category: <Category description>, for example, any threat or malware type. +Path: <File path> +User: <Domain>\\<User> +Error Code: <Error code> Result code associated with threat status. Standard HRESULT values. +Error Description: <Error description> Description of the error. +Signature Version: <Definition version> +Engine Version: <Antimalware Engine version> +Event ID: 1011 +Symbolic name: + +**MALWAREPROTECTION\_QUARANTINE\_DELETE** + +Message: + +**The antimalware platform deleted an item from quarantine.** + +Description: + +Windows Defender has deleted an item from quarantine. For more information please see the following: + +Name: <Threat name> +ID: <Threat ID> +Severity: <Severity>, for example: +- Low +- Moderate +- High +- Severe + +Category: <Category description>, for example, any threat or malware type. +Path: <File path> +User: <Domain>\\<User> +Signature Version: <Definition version> +Engine Version: <Antimalware Engine version> +Event ID: 1012 +Symbolic name: + +**MALWAREPROTECTION\_QUARANTINE\_DELETE\_FAILED** + +Message: + +**The antimalware platform could not delete an item from quarantine.** + +Description: + +Windows Defender has encountered an error trying to delete an item from quarantine. For more information please see the following: + +Name: <Threat name> +ID: <Threat ID> +Severity: <Severity>, for example: +- Low +- Moderate +- High +- Severe + +Category: <Category description>, for example, any threat or malware type. +Path: <File path> +User: <Domain>\\<User> +Error Code: <Error code> Result code associated with threat status. Standard HRESULT values. +Error Description: <Error description> Description of the error. +Signature Version: <Definition version> +Engine Version: <Antimalware Engine version> +Event ID: 1013 +Symbolic name: + +**MALWAREPROTECTION\_MALWARE\_HISTORY\_DELETE** + +Message: + +**The antimalware platform deleted history of malware and other potentially unwanted software.** + +Description: + +Windows Defender has removed history of malware and other potentially unwanted software. + +Time: The time when the event occurred, for example when the history is purged. Note that this parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time. +User: <Domain>\\<User> +Event ID: 1014 +Symbolic name: + +**MALWAREPROTECTION\_MALWARE\_HISTORY\_DELETE\_FAILED** + +Message: + +The antimalware platform could not delete history of malware and other potentially unwanted software. + +Description: + +Windows Defender has encountered an error trying to remove history of malware and other potentially unwanted software. + +Time: The time when the event occurred, for example when the history is purged. Note that this parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time. +User: <Domain>\\<User> +Error Code: <Error code> Result code associated with threat status. Standard HRESULT values. +Error Description: <Error description> Description of the error. +Event ID: 1015 +Symbolic name: + +**MALWAREPROTECTION\_BEHAVIOR\_DETECTED** + +Message: + +**The antimalware platform detected suspicious behavior.** + +Description: + +Windows Defender has detected a suspicious behavior. For more information please see the following: + +Name: <Threat name> +ID: <Threat ID> +Severity: <Severity>, for example: +- Low +- Moderate +- High +- Severe + +Category: <Category description>, for example, any threat or malware type. +Path: <File path> +Detection Origin: <Detection origin>, for example: +- Unknown +- Local computer +- Network share +- Internet +- Incoming traffic +- Outgoing traffic + +Detection Type: <Detection type>, for example: +- Heuristics +- Generic +- Concrete +- Dynamic signature + +Detection Source: <Detection source> for example: +- User: user initiated +- System: system initiated +- Real-time: real-time component initiated +- IOAV: IE Downloads and Outlook Express Attachments initiated +- NIS: Network inspection system +- IEPROTECT: IE - IExtensionValidation; this protects against malicious webpage controls +- Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence +- Remote attestation + +Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well. UAC +Status: <Status> +User: <Domain>\\<User> +Process Name: <Process in the PID> +Signature ID: Enumeration matching severity. +Signature Version: <Definition version> +Engine Version: <Antimalware Engine version> +Fidelity Label: +Target File Name: <File name> Name of the file. +Event ID: 1116 +Symbolic name: + +**MALWAREPROTECTION\_STATE\_MALWARE\_DETECTED** + +Message: + +**The antimalware platform detected malware or other potentially unwanted software.** + +Description: + +Windows Defender has detected malware or other potentially unwanted software. For more information please see the following: + +Name: <Threat name> +ID: <Threat ID> +Severity: <Severity>, for example: +- Low +- Moderate +- High +- Severe + +Category: <Category description>, for example, any threat or malware type. +Path: <File path> +Detection Origin: <Detection origin>, for example: +- Unknown +- Local computer +- Network share +- Internet +- Incoming traffic +- Outgoing traffic + +Detection Type: <Detection type>, for example: +- Heuristics +- Generic +- Concrete +- Dynamic signature + +Detection Source: <Detection source> for example: +- User: user initiated +- System: system initiated +- Real-time: real-time component initiated +- IOAV: IE Downloads and Outlook Express Attachments initiated +- NIS: Network inspection system +- IEPROTECT: IE - IExtensionValidation; this protects against malicious webpage controls +- Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence +- Remote attestation + +Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well. UAC +User: <Domain>\\<User> +Process Name: <Process in the PID> +Signature Version: <Definition version> +Engine Version: <Antimalware Engine version> +User action: + +No action is required. Windows Defender can suspend and take routine action on this threat. If you want to remove the threat manually, in the Windows Defender interface, click **Clean Computer**. + +Event ID: 1117 +Symbolic name: + +**MALWAREPROTECTION\_STATE\_MALWARE\_ACTION\_TAKEN** + +Message: + +**The antimalware platform performed an action to protect your system from malware or other potentially unwanted software.** + +Description: + +Windows Defender has taken action to protect this machine from malware or other potentially unwanted software. For more information please see the following: + +Name: <Threat name> +ID: <Threat ID> +Severity: <Severity>, for example: +- Low +- Moderate +- High +- Severe + +Category: <Category description>, for example, any threat or malware type. +Path: <File path> +Detection Origin: <Detection origin>, for example: +- Unknown +- Local computer +- Network share +- Internet +- Incoming traffic +- Outgoing traffic + +Detection Type: <Detection type>, for example: +- Heuristics +- Generic +- Concrete +- Dynamic signature + +Detection Source: <Detection source> for example: +- User: user initiated +- System: system initiated +- Real-time: real-time component initiated +- IOAV: IE Downloads and Outlook Express Attachments initiated +- NIS: Network inspection system +- IEPROTECT: IE - IExtensionValidation; this protects against malicious webpage controls +- Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence +- Remote attestation + +Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well. UAC +User: <Domain>\\<User> +Process Name: <Process in the PID> +Action: <Action>, for example: +- Clean: The resource was cleaned +- Quarantine: The resource was quarantined +- Remove: The resource was deleted +- Allow: The resource was allowed to execute/exist +- User defined: User defined action which is normally one from this list of actions that the user has specified +- No action: No action +- Block: The resource was blocked from executing + +Action Status: <Description of additional actions> +Error Code: <Error code> Result code associated with threat status. Standard HRESULT values. +Error Description: <Error description> Description of the error. +Signature Version: <Definition version> +Engine Version: <Antimalware Engine version> +User action: + +No action is necessary. Windows Defender removed or quarantined a threat. + +Event ID: 1118 +Symbolic name: + +**MALWAREPROTECTION\_STATE\_MALWARE\_ACTION\_FAILED** + +Message: + +**The antimalware platform attempted to perform an action to protect your system from malware or other potentially unwanted software, but the action failed.** + +Description: + +Windows Defender has encountered a non-critical error when taking action on malware or other potentially unwanted software. For more information please see the following: + +Name: <Threat name> +ID: <Threat ID> +Severity: <Severity>, for example: +- Low +- Moderate +- High +- Severe + +Category: <Category description>, for example, any threat or malware type. +Path: <File path> +Detection Origin: <Detection origin>, for example: +- Unknown +- Local computer +- Network share +- Internet +- Incoming traffic +- Outgoing traffic + +Detection Type: <Detection type>, for example: +- Heuristics +- Generic +- Concrete +- Dynamic signature + +Detection Source: <Detection source> for example: +- User: user initiated +- System: system initiated +- Real-time: real-time component initiated +- IOAV: IE Downloads and Outlook Express Attachments initiated +- NIS: Network inspection system +- IEPROTECT: IE - IExtensionValidation; this protects against malicious webpage controls +- Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence +- Remote attestation + +Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well. UAC +User: <Domain>\\<User> +Process Name: <Process in the PID> +Action: <Action>, for example: +- Clean: The resource was cleaned +- Quarantine: The resource was quarantined +- Remove: The resource was deleted +- Allow: The resource was allowed to execute/exist +- User defined: User defined action which is normally one from this list of actions that the user has specified +- No action: No action +- Block: The resource was blocked from executing + +Action Status: <Description of additional actions> +Error Code: <Error code> Result code associated with threat status. Standard HRESULT values. +Error Description: <Error description> Description of the error. +Signature Version: <Definition version> +Engine Version: <Antimalware Engine version> +User action: + +No action is necessary. Windows Defender failed to complete a task related to the malware remediation. This is not a critical failure. + +Event ID: 1119 +Symbolic name: + +**MALWAREPROTECTION\_STATE\_MALWARE\_ACTION\_CRITICALLY\_FAILED** + +Message: + +**The antimalware platform encountered a critical error when trying to take action on malware or other potentially unwanted software. There are more details in the event message.** + +Description: + +Windows Defender has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: + +Name: <Threat name> +ID: <Threat ID> +Severity: <Severity>, for example: +- Low +- Moderate +- High +- Severe + +Category: <Category description>, for example, any threat or malware type. +Path: <File path> +Detection Origin: <Detection origin>, for example: +- Unknown +- Local computer +- Network share +- Internet +- Incoming traffic +- Outgoing traffic + +Detection Type: <Detection type>, for example: +- Heuristics +- Generic +- Concrete +- Dynamic signature + +Detection Source: <Detection source> for example: +- User: user initiated +- System: system initiated +- Real-time: real-time component initiated +- IOAV: IE Downloads and Outlook Express Attachments initiated +- NIS: Network inspection system +- IEPROTECT: IE - IExtensionValidation; this protects against malicious webpage controls +- Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence +- Remote attestation + +Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well. UAC +User: <Domain>\\<User> +Process Name: <Process in the PID> +Action: <Action>, for example: +- Clean: The resource was cleaned +- Quarantine: The resource was quarantined +- Remove: The resource was deleted +- Allow: The resource was allowed to execute/exist +- User defined: User defined action which is normally one from this list of actions that the user has specified +- No action: No action +- Block: The resource was blocked from executing + +Action Status: <Description of additional actions> +Error Code: <Error code> Result code associated with threat status. Standard HRESULT values. +Error Description: <Error description> Description of the error. +Signature Version: <Definition version> +Engine Version: <Antimalware Engine version> +User action: + +The Windows Defender client encountered this error due to critical issues. The endpoint might not be protected. Review the error description then follow the relevant **User action** steps below. +
- If this event persists:
|
-|||||||||||||||||||||
| Event ID: 1120 | -
- Symbolic name: - |
-
- MALWAREPROTECTION_THREAT_HASH - |
-||||||||||||||||||||
|
- Message: - |
-
- Windows Defender has deduced the hashes for a threat resource. - |
-|||||||||||||||||||||
|
- Description: - |
-
- - Windows Defender client is up and running in a healthy state. -
|
-|||||||||||||||||||||
| - |
- Note This event will only be logged if the following policy is set: ThreatFileHashLogging unsigned.
- |
-|||||||||||||||||||||
| Event ID: 1150 | -
- Symbolic name: - |
-
- MALWAREPROTECTION_SERVICE_HEALTHY - |
-||||||||||||||||||||
|
- Message: - |
-
- If your antimalware platform reports status to a monitoring platform, this event indicates that the antimalware platform is running and in a healthy state. - - |
-|||||||||||||||||||||
|
- Description: - |
-
- - Windows Defender client is up and running in a healthy state. -
|
-|||||||||||||||||||||
|
- User action: - |
-
- No action is necessary. The Windows Defenderclient is in a healthy state. This event is reported on an hourly basis. - |
-|||||||||||||||||||||
| Event ID: 2000 | -
- Symbolic name: - |
-
- MALWAREPROTECTION_SIGNATURE_UPDATED - - |
-||||||||||||||||||||
|
- Message: - |
-
- The antimalware definitions updated successfully. - - |
-|||||||||||||||||||||
|
- Description: - |
-
- - Windows Defender signature version has been updated. -
|
-|||||||||||||||||||||
|
- User action: - |
-
- No action is necessary. The Windows Defender client is in a healthy state. This event is reported when signatures are successfully updated. - |
-|||||||||||||||||||||
| Event ID: 2001 | -
- Symbolic name: - |
-
- MALWAREPROTECTION_SIGNATURE_UPDATE_FAILED - |
-||||||||||||||||||||
|
- Message: - |
-
- The antimalware definition update failed. - - |
-|||||||||||||||||||||
|
- Description: - |
-
- - Windows Defender has encountered an error trying to update signatures. -
|
-|||||||||||||||||||||
|
- User action: - |
-
- This error occurs when there is a problem updating definitions. -To troubleshoot this event: -
|
-|||||||||||||||||||||
| Event ID: 2002 | -
- Symbolic name: - |
-
- MALWAREPROTECTION_ENGINE_UPDATED - |
-||||||||||||||||||||
|
- Message: - |
-
- The antimalware engine updated successfully. - - |
-|||||||||||||||||||||
|
- Description: - |
-
- - Windows Defender engine version has been updated. -
|
-|||||||||||||||||||||
|
- User action: - |
-
- No action is necessary. The Windows Defender client is in a healthy state. This event is reported when the antimalware engine is successfully updated. - |
-|||||||||||||||||||||
| Event ID: 2003 | -
- Symbolic name: - |
-
- MALWAREPROTECTION_ENGINE_UPDATE_FAILED - |
-||||||||||||||||||||
|
- Message: - |
-
- The antimalware engine update failed. - - |
-|||||||||||||||||||||
|
- Description: - |
-
- - Windows Defender has encountered an error trying to update the engine. -
|
-|||||||||||||||||||||
|
- User action: - |
-
- The Windows Defender client update failed. This event occurs when the client fails to update itself. This event is usually due to an interruption in network connectivity during an update. -To troubleshoot this event: -
|
-|||||||||||||||||||||
| Event ID: 2004 | -
- Symbolic name: - |
-
- MALWAREPROTECTION_SIGNATURE_REVERSION - |
-||||||||||||||||||||
|
- Message: - |
-
- There was a problem loading antimalware definitions. The antimalware engine will attempt to load the last-known good set of definitions. - |
-|||||||||||||||||||||
|
- Description: - |
-
- - Windows Defender has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures. -
|
-|||||||||||||||||||||
|
- User action: - |
-
- The Windows Defender client attempted to download and install the latest definitions file and failed. This error can occur when the client encounters an error while trying to load the definitions, or if the file is corrupt. Windows Defender will attempt to revert back to a known-good set of definitions. -To troubleshoot this event: -
|
-|||||||||||||||||||||
| Event ID: 2005 | -
- Symbolic name: - |
-
- MALWAREPROTECTION_ENGINE_UPDATE_PLATFORMOUTOFDATE - |
-||||||||||||||||||||
|
- Message: - |
-
- The antimalware engine failed to load because the antimalware platform is out of date. The antimalware platform will load the last-known good antimalware engine and attempt to update. - |
-|||||||||||||||||||||
|
- Description: - |
-
- - Windows Defender could not load antimalware engine because current platform version is not supported. Windows Defender will revert back to the last known-good engine and a platform update will be attempted. -
|
-|||||||||||||||||||||
| Event ID: 2006 | -
- Symbolic name: - |
-
- MALWAREPROTECTION_PLATFORM_UPDATE_FAILED - - |
-||||||||||||||||||||
|
- Message: - |
-
- The platform update failed. - - |
-|||||||||||||||||||||
|
- Description: - |
-
- - Windows Defender has encountered an error trying to update the platform. -
|
-|||||||||||||||||||||
| Event ID: 2007 | -
- Symbolic name: - |
-
- MALWAREPROTECTION_PLATFORM_ALMOSTOUTOFDATE - |
-||||||||||||||||||||
|
- Message: - |
-
- The platform will soon be out of date. Download the latest platform to maintain up-to-date protection. - |
-|||||||||||||||||||||
|
- Description: - |
-
- - Windows Defender will soon require a newer platform version to support future versions of the antimalware engine. Download the latest Windows Defender platform to maintain the best level of protection available. -
|
-|||||||||||||||||||||
| Event ID: 2010 | -
- Symbolic name: - |
-
- MALWAREPROTECTION_SIGNATURE_FASTPATH_UPDATED - - |
-||||||||||||||||||||
|
- Message: - |
-
- The antimalware engine used the Dynamic Signature Service to get additional definitions. - - |
-|||||||||||||||||||||
|
- Description: - |
-
- - Windows Defender used Dynamic Signature Service to retrieve additional signatures to help protect your machine. -
|
-|||||||||||||||||||||
| Event ID: 2011 | -
- Symbolic name: - |
-
- MALWAREPROTECTION_SIGNATURE_FASTPATH_DELETED - - |
-||||||||||||||||||||
|
- Message: - |
-
- The Dynamic Signature Service deleted the out-of-date dynamic definitions. - - |
-|||||||||||||||||||||
|
- Description: - |
-
- - Windows Defender used Dynamic Signature Service to discard obsolete signatures. -
|
-|||||||||||||||||||||
|
- User action: - |
-
- No action is necessary. The Windows Defender client is in a healthy state. This event is reported when the Dynamic Signature Service successfully deletes out-of-date dynamic definitions. - |
-|||||||||||||||||||||
| Event ID: 2012 | -
- Symbolic name: - |
-
- MALWAREPROTECTION_SIGNATURE_FASTPATH_UPDATE_FAILED - - |
-||||||||||||||||||||
|
- Message: - |
-
- The antimalware engine encountered an error when trying to use the Dynamic Signature Service. - - |
-|||||||||||||||||||||
|
- Description: - |
-
- - Windows Defender has encountered an error trying to use Dynamic Signature Service. -
|
-|||||||||||||||||||||
|
- User action: - |
-
- Check your Internet connectivity settings. - |
-|||||||||||||||||||||
| Event ID: 2013 | -
- Symbolic name: - |
-
- MALWAREPROTECTION_SIGNATURE_FASTPATH_DELETED_ALL - - |
-||||||||||||||||||||
|
- Message: - |
-
- The Dynamic Signature Service deleted all dynamic definitions. - - |
-|||||||||||||||||||||
|
- Description: - |
-
- - Windows Defender discarded all Dynamic Signature Service signatures. -
|
-|||||||||||||||||||||
| Event ID: 2020 | -
- Symbolic name: - |
-
- MALWAREPROTECTION_CLOUD_CLEAN_RESTORE_FILE_DOWNLOADED - - |
-||||||||||||||||||||
|
- Message: - |
-
- The antimalware engine downloaded a clean file. - - |
-|||||||||||||||||||||
|
- Description: - |
-
- - Windows Defender downloaded a clean file. -
|
-|||||||||||||||||||||
| Event ID: 2021 | -
- Symbolic name: - |
-
- MALWAREPROTECTION_CLOUD_CLEAN_RESTORE_FILE_DOWNLOAD_FAILED - |
-||||||||||||||||||||
|
- Message: - |
-
- The antimalware engine failed to download a clean file. - - |
-|||||||||||||||||||||
|
- Description: - |
-
- - Windows Defender has encountered an error trying to download a clean file. -
|
-|||||||||||||||||||||
|
- User action: - |
-
- Check your Internet connectivity settings. - -The Windows Defender client encountered an error when using the Dynamic Signature Service to download the latest definitions to a specific threat. This error is likely caused by a network connectivity issue. - - |
-|||||||||||||||||||||
| Event ID: 2030 | -
- Symbolic name: - |
-
- MALWAREPROTECTION_OFFLINE_SCAN_INSTALLED - |
-||||||||||||||||||||
|
- Message: - |
-
- The antimalware engine was downloaded and is configured to run offline on the next system restart. - |
-|||||||||||||||||||||
|
- Description: - |
-
- Windows Defender downloaded and configured Windows Defender Offline to run on the next reboot. - |
-|||||||||||||||||||||
| Event ID: 2031 | -
- Symbolic name: - |
-
- MALWAREPROTECTION_OFFLINE_SCAN_INSTALL_FAILED - - |
-||||||||||||||||||||
|
- Message: - |
-
- The antimalware engine was unable to download and configure an offline scan. - |
-|||||||||||||||||||||
|
- Description: - |
-
- - Windows Defender has encountered an error trying to download and configure Windows Defender Offline. -
|
-|||||||||||||||||||||
| Event ID: 2040 | -
- Symbolic name: - |
-
- MALWAREPROTECTION_OS_EXPIRING - - |
-||||||||||||||||||||
|
- Message: - |
-
- Antimalware support for this operating system version will soon end. - - |
-|||||||||||||||||||||
|
- Description: - |
-
- The support for your operating system will expire shortly. Running Windows Defender on an out of support operating system is not an adequate solution to protect against threats. - |
-|||||||||||||||||||||
| Event ID: 2041 | -
- Symbolic name: - |
-
- MALWAREPROTECTION_OS_EOL - - |
-||||||||||||||||||||
|
- Message: - |
-
- Antimalware support for this operating system has ended. You must upgrade the operating system for continued support. - - |
-|||||||||||||||||||||
|
- Description: - |
-
- The support for your operating system has expired. Running Windows Defender on an out of support operating system is not an adequate solution to protect against threats. - |
-|||||||||||||||||||||
| Event ID: 2042 | -
- Symbolic name: - |
-
- MALWAREPROTECTION_PROTECTION_EOL - - |
-||||||||||||||||||||
|
- Message: - |
-
- The antimalware engine no longer supports this operating system, and is no longer protecting your system from malware. - - |
-|||||||||||||||||||||
|
- Description: - |
-
- The support for your operating system has expired. Windows Defender is no longer supported on your operating system, has stopped functioning, and is not protecting against malware threats. - |
-|||||||||||||||||||||
| Event ID: 3002 | -
- Symbolic name: - |
-
- MALWAREPROTECTION_RTP_FEATURE_FAILURE - - |
-||||||||||||||||||||
|
- Message: - |
-
- Real-time protection encountered an error and failed. - |
-|||||||||||||||||||||
|
- Description: - |
-
- - Windows Defender Real-Time Protection feature has encountered an error and failed. -
|
-|||||||||||||||||||||
|
- User action: - |
-
- You should restart the system then run a full scan because it’s possible the system was not protected for some time. - -The Windows Defender client’s real-time protection feature encountered an error because one of the services failed to start. - -If it is followed by a 3007 event ID, the failure was temporary and the antimalware client recovered from the failure. - - |
-|||||||||||||||||||||
| Event ID: 3007 | -
- Symbolic name: - |
-
- MALWAREPROTECTION_RTP_FEATURE_RECOVERED - |
-||||||||||||||||||||
|
- Message: - |
-
- Real-time protection recovered from a failure. We recommend running a full system scan when you see this error. - - |
-|||||||||||||||||||||
|
- Description: - |
-
- - Windows Defender Real-time Protection has restarted a feature. It is recommended that you run a full system scan to detect any items that may have been missed while this agent was down. -
|
-|||||||||||||||||||||
|
- User action: - |
-
- The real-time protection feature has restarted. If this event happens again, contact Microsoft Technical Support. - |
-|||||||||||||||||||||
| Event ID: 5000 | -
- Symbolic name: - |
-
- MALWAREPROTECTION_RTP_ENABLED - - |
-||||||||||||||||||||
|
- Message: - |
-
- Real-time protection is enabled. - - |
-|||||||||||||||||||||
|
- Description: - |
-
- Windows Defender Real-time Protection scanning for malware and other potentially unwanted software was enabled. - |
-|||||||||||||||||||||
| Event ID: 5001 | -
- Symbolic name: - |
-
- MALWAREPROTECTION_RTP_DISABLED - |
-||||||||||||||||||||
|
- Message: - |
-
- Real-time protection is disabled. - - |
-|||||||||||||||||||||
|
- Description: - |
-
- Windows Defender Real-time Protection scanning for malware and other potentially unwanted software was disabled. - |
-|||||||||||||||||||||
| Event ID: 5004 | -
- Symbolic name: - |
-
- MALWAREPROTECTION_RTP_FEATURE_CONFIGURED - - |
-||||||||||||||||||||
|
- Message: - |
-
- The real-time protection configuration changed. - - |
-|||||||||||||||||||||
|
- Description: - |
-
- - Windows Defender Real-time Protection feature configuration has changed. -
|
-|||||||||||||||||||||
| Event ID: 5007 | -
- Symbolic name: - |
-
- MALWAREPROTECTION_CONFIG_CHANGED - - |
-||||||||||||||||||||
|
- Message: - |
-
- The antimalware platform configuration changed. - |
-|||||||||||||||||||||
|
- Description: - |
-
- - Windows Defender Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. -
|
-|||||||||||||||||||||
| Event ID: 5008 | -
- Symbolic name: - |
-
- MALWAREPROTECTION_ENGINE_FAILURE - |
-||||||||||||||||||||
|
- Message: - |
-
- The antimalware engine encountered an error and failed. - |
-|||||||||||||||||||||
|
- Description: - |
-
- - Windows Defender engine has been terminated due to an unexpected error. -
|
-|||||||||||||||||||||
|
- User action: - |
-
- To troubleshoot this event:
|
-|||||||||||||||||||||
|
- User action: - |
-
- The Windows Defender client engine stopped due to an unexpected error. -To troubleshoot this event: -
|
-|||||||||||||||||||||
| Event ID: 5009 | -
- Symbolic name: - |
-
- MALWAREPROTECTION_ANTISPYWARE_ENABLED - - |
-||||||||||||||||||||
|
- Message: - |
-
- Scanning for malware and other potentially unwanted software is enabled. - - |
-|||||||||||||||||||||
|
- Description: - |
-
- Windows Defender scanning for malware and other potentially unwanted software has been enabled. - |
-|||||||||||||||||||||
| Event ID: 5010 | -
- Symbolic name: - |
-
- MALWAREPROTECTION_ANTISPYWARE_DISABLED - - |
-||||||||||||||||||||
|
- Message: - |
-
- Scanning for malware and other potentially unwanted software is disabled. - |
-|||||||||||||||||||||
|
- Description: - |
-
- Windows Defender scanning for malware and other potentially unwanted software is disabled. - |
-|||||||||||||||||||||
| Event ID: 5011 | -
- Symbolic name: - |
-
- MALWAREPROTECTION_ANTIVIRUS_ENABLED - |
-||||||||||||||||||||
|
- Message: - |
-
- Scanning for viruses is enabled. - |
-|||||||||||||||||||||
|
- Description: - |
-
- Windows Defender scanning for viruses has been enabled. - |
-|||||||||||||||||||||
| Event ID: 5012 | -
- Symbolic name: - |
-
- MALWAREPROTECTION_ANTIVIRUS_DISABLED - - |
-||||||||||||||||||||
|
- Message: - |
-
- Scanning for viruses is disabled. - - |
-|||||||||||||||||||||
|
- Description: - |
-
- Windows Defender scanning for viruses is disabled. - |
-|||||||||||||||||||||
| Event ID: 5100 | -
- Symbolic name: - |
-
- MALWAREPROTECTION_EXPIRATION_WARNING_STATE - - |
-||||||||||||||||||||
|
- Message: - |
-
- The antimalware platform will expire soon. - - |
-|||||||||||||||||||||
|
- Description: - |
-
- - Windows Defender has entered a grace period and will soon expire. After expiration, this program will disable protection against viruses, spyware, and other potentially unwanted software. -
|
-|||||||||||||||||||||
| Event ID: 5101 | -
- Symbolic name: - |
-
- MALWAREPROTECTION_DISABLED_EXPIRED_STATE - - |
-||||||||||||||||||||
|
- Message: - |
-
- The antimalware platform is expired. - - |
-|||||||||||||||||||||
|
- Description:: - |
-
- - Windows Defender grace period has expired. Protection against viruses, spyware, and other potentially unwanted software is disabled. -
|
-|||||||||||||||||||||
-
Windows Defender client error codes
-If Windows Defender experiences any issues it will usually give you an error code to help you troubleshoot the issue. +This section provides the following information about Windows Defender client errors. -Most often an error means there was a problem installing an update. -
-This section provides the following information about Windows Defender client errors.
-
-
- The error code -
- The possible reason for the error -
- Advice on what to do now -
Use the information in these tables to help troubleshoot Windows Defender error codes.
-| External error codes | -|||
|---|---|---|---|
| Error code | -Message displayed | -Possible reason for error | -What to do now | -
|
- 0x80508007 - - |
-
- ERR_MP_NO_MEMORY - - |
-
- This error indicates that you might have run out of memory. - - |
-
- -
|
-
|
- 0x8050800C - |
-
- ERR_MP_BAD_INPUT_DATA - |
-
- This error indicates that there might be a problem with your security product. - |
-
- -
|
-
|
- 0x80508020 - |
-
- ERR_MP_BAD_CONFIGURATION - - |
-
- This error indicates that there might be an engine configuration error; commonly, this is related to input -data that does not allow the engine to function properly. - - |
-|
|
- 0x805080211 - - |
-
- ERR_MP_QUARANTINE_FAILED - - |
-
- This error indicates that Windows Defender failed to quarantine a threat. - - |
-|
|
- 0x80508022 - - |
-
- ERR_MP_REBOOT_REQUIRED - - |
-
- This error indicates that a reboot is required to complete threat removal. - - |
-|
|
- 0x80508023 - - |
-
- ERR_MP_THREAT_NOT_FOUND - - |
-
- This error indicates that the threat might no longer be present on the media, or malware might be stopping you from scanning your device. - - |
-
- Run the Microsoft Safety Scanner then update your security software and try again. - - |
-
|
- ERR_MP_FULL_SCAN_REQUIRED - - |
-
- This error indicates that a full system scan might be required. - - |
-
- Run a full system scan. - - |
-|
|
- 0x80508024 - - |
-|||
|
- 0x80508025 - - |
-
- ERR_MP_MANUAL_STEPS_REQUIRED - - |
-
- This error indicates that manual steps are required to complete threat removal. - - |
-
- Follow the manual remediation steps outlined in the Microsoft Malware Protection Encyclopedia. You can find a threat-specific link in the event history. - - |
-
|
- 0x80508026 - - |
-
- ERR_MP_REMOVE_NOT_SUPPORTED - - |
-
- This error indicates that removal inside the container type might not be not supported. - - |
-
- Windows Defender is not able to remediate threats detected inside the archive. Consider manually removing the detected resources. - - |
-
|
- 0x80508027 - - |
-
- ERR_MP_REMOVE_LOW_MEDIUM_DISABLED - - |
-
- This error indicates that removal of low and medium threats might be disabled. - - |
-
- Check the detected threats and resolve them as required. - - |
-
|
- 0x80508029 - - |
-
- ERROR_MP_RESCAN_REQUIRED - - |
-
- This error indicates a rescan of the threat is required. - - |
-
- Run a full system scan. - - |
-
|
- 0x80508030 - - |
-
- ERROR_MP_CALLISTO_REQUIRED - - |
-
- This error indicates that an offline scan is required. - - |
-
- Run Windows Defender Offline. You can read about how to do this in the Windows Defender Offline -article. - |
-
|
- 0x80508031 - - |
-
- ERROR_MP_PLATFORM_OUTDATED - - |
-
- This error indicates that Windows Defender does not support the current version of the platform and requires a new version of the platform. - - |
-
- You can only use Windows Defender in Windows 10. For Windows 8, Windows 7 and Windows Vista, you can use System Center Endpoint Protection. - - |
-
-
| Internal error codes | -|||
|---|---|---|---|
| Error code | -Message displayed | -Possible reason for error | -What to do now | -
|
- 0x80501004 - |
-
- ERROR_MP_NO_INTERNET_CONN - - |
-
- Check your Internet connection, then run the scan again. - |
-
- Check your Internet connection, then run the scan again. - |
-
|
- 0x80501000 - |
-
- ERROR_MP_UI_CONSOLIDATION_BASE - |
-
- This is an internal error. The cause is not clearly defined. - |
-
- -
|
-
|
- 0x80501001 - |
-
- ERROR_MP_ACTIONS_FAILED - |
-||
|
- 0x80501002 - |
-
- ERROR_MP_NOENGINE - |
-||
|
- 0x80501003 - |
-
- ERROR_MP_ACTIVE_THREATS - |
-||
|
- 0x805011011 - |
-
- MP_ERROR_CODE_LUA_CANCELLED - |
-||
|
- 0x80501101 - |
-
- ERROR_LUA_CANCELLATION - |
-||
|
- 0x80501102 - |
-
- MP_ERROR_CODE_ALREADY_SHUTDOWN - |
-||
|
- 0x80501103 - |
-
- MP_ERROR_CODE_RDEVICE_S_ASYNC_CALL_PENDING - |
-||
|
- 0x80501104 - |
-
- MP_ERROR_CODE_CANCELLED - |
-||
|
- 0x80501105 - |
-
- MP_ERROR_CODE_NO_TARGETOS - |
-||
|
- 0x80501106 - |
-
- MP_ERROR_CODE_BAD_REGEXP - |
-||
|
- 0x80501107 - |
-
- MP_ERROR_TEST_INDUCED_ERROR - |
-||
|
- 0x80501108 - |
-
- MP_ERROR_SIG_BACKUP_DISABLED - |
-||
|
- 0x80508001 - |
-
- ERR_MP_BAD_INIT_MODULES - |
-||
|
- 0x80508002 - |
-
- ERR_MP_BAD_DATABASE - |
-||
|
- 0x80508004 - |
-
- ERR_MP_BAD_UFS - |
-||
|
- 0x8050800C - |
-
- ERR_MP_BAD_INPUT_DATA - |
-||
|
- 0x8050800D - |
-
- ERR_MP_BAD_GLOBAL_STORAGE - |
-||
|
- 0x8050800E - |
-
- ERR_MP_OBSOLETE - |
-||
|
- 0x8050800F - |
-
- ERR_MP_NOT_SUPPORTED - |
-||
|
- 0x8050800F -0x80508010 - - |
-
- ERR_MP_NO_MORE_ITEMS - |
-||
|
- 0x80508011 - |
-
- ERR_MP_DUPLICATE_SCANID - |
-||
|
- 0x80508012 - |
-
- ERR_MP_BAD_SCANID - |
-||
|
- 0x80508013 - |
-
- ERR_MP_BAD_USERDB_VERSION - |
-||
|
- 0x80508014 - |
-
- ERR_MP_RESTORE_FAILED - |
-||
|
- 0x80508016 - |
-
- ERR_MP_BAD_ACTION - |
-||
|
- 0x80508019 - |
-
- ERR_MP_NOT_FOUND - |
-||
|
- 0x80509001 - |
-
- ERR_RELO_BAD_EHANDLE - |
-||
|
- 0x80509003 - |
-
- ERR_RELO_KERNEL_NOT_LOADED - |
-||
|
- 0x8050A001 - |
-
- ERR_MP_BADDB_OPEN - |
-||
|
- 0x8050A002 - |
-
- ERR_MP_BADDB_HEADER - |
-||
|
- 0x8050A003 - |
-
- ERR_MP_BADDB_OLDENGINE - |
-||
|
- 0x8050A004 - |
-
- ERR_MP_BADDB_CONTENT - |
-||
|
- 0x8050A005 - |
-
- ERR_MP_BADDB_NOTSIGNED - |
-||
|
- 0x8050801 - |
-
- ERR_MP_REMOVE_FAILED - |
-
- This is an internal error. It might be triggered when malware removal is not successful. - - |
-|
|
- 0x80508018 - - |
-
- ERR_MP_SCAN_ABORTED - - |
-
- This is an internal error. It might have triggered when a scan fails to complete. - - |
-|
New
Updated to include the new Preview feature, Cortana and Microsoft Dynamics CRM integration.
Updated to include Windows Server 2016 Technical Preview.
Removed the telemetry content into its own topic.
Updated to include Windows Server 2016 Technical Preview.
Administrators can assign online-licensed apps to employees in their organization.
[Distribute apps with a management tool](distribute-apps-with-a-management-tool.md)
[Distribute apps with a management tool](distribute-apps-with-management-tool.md)
You can configure a mobile device management (MDM) tool to synchronize your Store for Business inventory. Store for Business management tool services work with MDM tools to manage content.
[Apps in the Windows Store for Business](apps-in-the-windows-store-for-business.md)
[Apps in the Windows Store for Business](apps-in-windows-store-for-business.md)
Store for Business has thousands of apps from many different categories.
Administrative Tools is a folder in Control Panel that contains tools for system administrators and advanced users.
[Cortana integration in your business or enterprise](manage-cortana-in-your-enterprise.md)
[Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md))
The world’s first personal digital assistant helps users get things done, even at work. Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and enterprise environments.
This article describes the new servicing options available in Windows 10, Windows 10 Mobile, and Windows 10 IoT Core (IoT Core) and how they enable enterprises to keep their devices current with the latest feature upgrades. It also covers related topics, such as how enterprises can make better use of Windows Update, and what the new servicing options mean for support lifecycles.
[Application development for Windows as a service](application-development-for-windows-as-a-service.md)
In today’s environment, where user expectations frequently are set by device-centric experiences, complete product cycles need to be measured in months, not years. Additionally, new releases must be made available on a continual basis, and must be deployable with minimal impact on users. Microsoft designed Windows 10 to meet these requirements by implementing a new approach to innovation, development, and delivery called [Windows as a service (WaaS)](introduction-to-windows-10-servicing.md). The key to enabling significantly shorter product cycles while maintaining high quality levels is an innovative community-centric approach to testing that Microsoft has implemented for Windows 10. The community, known as Windows Insiders, is comprised of millions of users around the world. When Windows Insiders opt in to the community, they test many builds over the course of a product cycle and provide feedback to Microsoft through an iterative methodology called flighting.
[Windows Store for Business](windows-store-for-business.md)
Welcome to the Windows Store for Business! You can use the Store for Business, to find, acquire, distribute, and manage apps for your organization.
| Comparison | -Windows 10 servicing options | -||
|---|---|---|---|
| Current Branch (CB) | -Current Branch for Business (CBB) | -Long-Term Servicing Branch (LTSB) | -|
| Availability of new feature upgrades for installation | -Immediate | -Deferred by ~4 months | -Not applicable | -
| Supported editions | -Windows 10 Home, Windows 10 Pro, Windows 10 Education, Windows 10 Enterprise, Windows 10 Mobile, -IoT Core, IoT Core Pro | -Windows 10 Pro, -Windows 10 Education, -Windows 10 Enterprise, Windows 10 Mobile Enterprise, -IoT Core Pro | -Windows 10 Enterprise LTSB | -
| Minimum length of servicing lifetime | -Approximately 4 Months | -Approximately 8 months | -10 years | -
| Ongoing installation of new feature upgrades required to receive servicing updates | -Yes | -Yes | -No | -
| Supports Windows Update for release deployment | -Yes | -Yes | -Yes | -
| Supports Windows Server Update Services for release deployment | -Yes -(excludes Home) - | -Yes | -Yes | -
| Supports Configuration Manager/configuration management systems for release deployment | -Yes -(excludes Home) - | -Yes | -Yes | -
| First party browsers included | -Microsoft Edge, -Internet Explorer 11 | -Microsoft Edge, -IE11 | -IE11 | -
| Notable Windows -system apps removed - | -None | -None | -Microsoft Edge, Windows Store Client, Cortana (limited search available) | -
| Notable Windows -universal apps removed - | -None | -None | -Outlook Mail/Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, Clock | -
Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps. The result is similar to [a kiosk device](set-up-a-device-for-anyone-to-use.md), but with multiple apps available. For example, you might set up a library computer so that users can search the catalog and browse the Internet, but can't run any other apps or change computer settings.
[Configure telemetry in your organization](configure-telemetry-in-your-organization.md)
Use this article to make informed decisions about how you can configure telemetry in your organization. Telemetry is a term that means different things to different people and organizations. For the purpose of this article, we discuss telemetry as system data that is uploaded by the Connected User Experience and Telemetry component. The telemetry data is used to keep Windows devices secure, and to help Microsoft improve the quality of Windows and Microsoft services.
[Configure telemetry and other settings in your organization](disconnect-your-organization-from-microsoft.md)
Learn about the telemetry that Microsoft gathers, the network connections that Windows components make to Microsoft, and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro.
[Disconnect from Microsoft and configure privacy settings in your organization](disconnect-your-organization-from-microsoft.md)
If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider.
-If you’re looking for content on what each telemetry level means and how to configure it in your organization, see [Configure telemetry in your organization](configure-telemetry-in-your-organization.md).
[Configure access to Windows Store](stop-employees-from-using-the-windows-store.md)
IT Pros can configure access to Windows Store for client computers in their organization. For some organizations, business policies require blocking access to Windows Store.
[Manage Wi-Fi Sense in your company](manage-wi-fi-sense-in-your-company.md)
[Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md))
Wi-Fi Sense automatically connects you to Wi-Fi, so you can get online quickly in more places. It can connect you to open Wi-Fi hotspots it knows about through crowdsourcing, or to Wi-Fi networks your contacts have shared with you by using Wi-Fi Sense.
The initial settings for Wi-Fi Sense are determined by the options you chose when you first set up your PC with Windows 10.
[Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md)
Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device.
[Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md)
There are two methods for resetting a Windows 10 Mobile device: factory reset and "wipe and persist" reset.
You can manage access to your private store in Store for Business.
[App inventory managemement for Windows Store for Business](app-inventory-managemement-for-windows-store-for-business.md)
[App inventory managemement for Windows Store for Business](app-inventory-managemement-windows-store-for-business.md)
You can manage all apps that you've acquired on your Inventory page.
The private store is a feature in the Store for Business that organizations receive during the sign up process. When admins add apps to the private store, all employees in the organization can view and download the apps. Only online-licensed apps can be distributed from your private store.
[Configure MDM provider](configure-mdm-provider.md)
[Configure MDM provider](configure-mdm-provider-windows-store-for-business.md)
For companies or organizations using mobile device management (MDM) tools, those tools can synchronize with Store for Business inventory to manage apps with offline licenses. Store for Business management tool services work with your third-party management tool to manage content.
[Update Windows Store for Business account settings](update-windows-store-for-business-account-settings-.md)
[Update Windows Store for Business account settings](update-windows-store-for-business-account-settings.md))
The Account information page in Windows Store for Business shows information about your organization that you can update, including: country or region, organization name, default domain, and language preference. These are settings in the Azure AD directory that you used when signing up for Store for Business
[Manage user accounts in Windows Store for Business](manage-users-and-groups-in-the-windows-store-for-business.md)
Store for Business manages permissions with a set of roles. Currently, you can [assign these roles to individuals in your organization](roles-and-permissions-in-the-windows-store-for-business.md), but not to groups.
[Manage user accounts in Windows Store for Business](manage-users-and-groups-windows-store-for-business.md))
Store for Business manages permissions with a set of roles. Currently, you can [assign these roles to individuals in your organization](roles-and-permissions-windows-store-for-business.md), but not to groups.
[Prerequisites for Windows Store for Business](prerequisites-for-windows-store-for-business.md)
[Prerequisites for Windows Store for Business](prerequisites-windows-store-for-business.md)
There are a few prerequisites for using Store for Business.
[Sign up for Windows Store for Business](sign-up-for-windows-store-for-business.md)
[Sign up for Windows Store for Business](sign-up-windows-store-for-business.md)
Before you sign up for Store for Business, at a minimum, you'll need an Azure Active Directory (AD) account for your organization, and you'll need to be the global administrator for your organization. If your organization is already using Azure AD, you can go ahead and sign up for Store for Business. If not, we'll help you create an Azure AD account and directory as part of the sign up process.
[Roles and permissions in the Windows Store for Business](roles-and-permissions-in-the-windows-store-for-business.md)
[Roles and permissions in the Windows Store for Business](roles-and-permissions-windows-store-for-business.md)
The first person to sign in to Store for Business must be a Global Admin of the Azure Active Directory (AD) tenant. Once the Global Admin has signed in, they can give permissions to others employees.
[Settings reference: Windows Store for Business](settings-reference--windows-store-for-business.md)
[Settings reference: Windows Store for Business](settings-reference-windows-store-for-business.md)
The Store for Business has a group of settings that admins use to manage the store.
[Sign up and get started](sign-up-and-get-started.md)
[Sign up and get started](sign-up-windows-store-for-business-overview.md)
IT admins can sign up for the Store for Business, and get started working with apps.
[Find and acquire apps](find-and-acquire-apps.md)
[Find and acquire apps](find-and-acquire-apps-overview.md)
Use the Store for Business to find apps for your organization. You can also work with developers to create line-of-business apps that are only available to your organization.
[Distribute apps to your employees from the Windows Store for Business](distribute-apps-to-your-employees-from-the-windows-store-for-business.md)
[Distribute apps to your employees from the Windows Store for Business](distribute-apps-to-your-employees-windows-store-for-business.md)
Distribute apps to your employees from Store for Business. You can assign apps to employees, or let employees install them from your private store.
[Manage apps](manage-apps.md)
[Manage apps](manage-apps-windows-store-for-business-overview.md)
Manage settings and access to apps in Store for Business.
Device Guard signing is a Device Guard feature that is available in the Store for Business. It gives admins a single place to sign catalog files and code integrity policies. After admins have created catalog files for unsigned apps and signed the catalog files, they can add the signers to a code integrity policy. You can merge the code integrity policy with your existing policy to include your custom signing certificate. This allows you to trust the catalog files.
[Manage settings in the Windows Store for Business](manage-settings-in-the-windows-store-for-business.md)
[Manage settings in the Windows Store for Business](manage-settings-windows-store-for-business.md)
You can add users and groups, as well as update some of the settings associated with the Azure Active Directory (AD) tenant
[Troubleshoot Windows Store for Business](troubleshoot.md)
[Troubleshoot Windows Store for Business](troubleshoot-windows-store-for-business.md))
Troubleshooting topics for Store for Business.
This topic lists new and updated topics in the Plan for Windows 10 deployment documentation for [Windows 10 and Windows 10 Mobile](../index.md).