diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 6c0356d667..78189003c5 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -13889,6 +13889,11 @@ "source_path": "education/windows/windows-automatic-redeployment.md", "redirect_url": "/education/windows/autopilot-reset", "redirect_document_id": true +}, +{ +"source_path": "windows/privacy/manage-windows-endpoints.md", +"redirect_url": "/windows/privacy/manage-windows-1809-endpoints", +"redirect_document_id": true } ] } diff --git a/devices/hololens/hololens-encryption.md b/devices/hololens/hololens-encryption.md index 8210e1f2fb..6c12c3254b 100644 --- a/devices/hololens/hololens-encryption.md +++ b/devices/hololens/hololens-encryption.md @@ -19,36 +19,17 @@ You can enable [Bitlocker device encryption](https://docs.microsoft.com/windows/ ## Enable device encryption using MDM -You can use your mobile device management (MDM) provider to apply a policy that requires device encryption. The policy used is the [Security/RequireDeviceEncryption setting](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-security#security-requiredeviceencryption) in the Policy CSP. +You can use your mobile device management (MDM) provider to apply a policy that requires device encryption. The policy used is the [Security/RequireDeviceEncryption setting](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-security#security-requiredeviceencryption) in the Policy CSP.) -In the following steps, Microsoft Intune is used as the example. For other MDM tools, see your MDM provider's documentation for instructions. +[See instructions for enabling device encryption using Microsoft Intune.](https://docs.microsoft.com/intune/compliance-policy-create-windows#windows-holographic-for-business) -1. Sign in to the [Microsoft Azure portal](https://portal.azure.com/). +For other MDM tools, see your MDM provider's documentation for instructions. If your MDM provider requires custom URI for device encryptionn, use the following configuration: -2. Use **Search** or go to **More services** to open the Intune blade. - -3. Go to **Device configuration > Profiles**, and select **Create profile**. - - ![Intune create profile option](images/encrypt-create-profile.png) - -4. Enter a name of your choice, select **Windows 10 and later** for the platform, select **Custom** for the profile type, and then select **Add**. - - ![Intune custom setting screen](images/encrypt-custom.png) - -5. In **Add Row OMA-URI Settings**, enter or select the following information: - - **Name**: a name of your choice - - **Description**: optional - - **OMA-URI**: `./Vendor/MSFT/Policy/Config/Security/RequireDeviceEncryption` - - **Data type**: integer - - **Value**: `1` - - ![Intune OMA-URI settings for encryption](images/encrypt-oma-uri.png) - -6. Select **OK**, select **OK**, and then select **Create**. The blade for the profile opens automatically. - -7. Select **Assignments** to assign the profile to a group. After you configure the assignment, select **Save**. - -![Intune profile assignment screen](images/encrypt-assign.png) +- **Name**: a name of your choice +- **Description**: optional +- **OMA-URI**: `./Vendor/MSFT/Policy/Config/Security/RequireDeviceEncryption` +- **Data type**: integer +- **Value**: `1` ## Enable device encryption using a provisioning package diff --git a/devices/hololens/hololens-whats-new.md b/devices/hololens/hololens-whats-new.md index 4648c8b5d9..0e17d81790 100644 --- a/devices/hololens/hololens-whats-new.md +++ b/devices/hololens/hololens-whats-new.md @@ -91,6 +91,6 @@ Windows 10, version 1803, is the first feature update to Windows Holographic for ## Additional resources - [Reset or recover your HoloLens](https://developer.microsoft.com/windows/mixed-reality/reset_or_recover_your_hololens) -- [Restart, rest, or recover HoloLens](https://support.microsoft.com/help/13452/hololens-restart-reset-or-recover-hololens) +- [Restart, reset, or recover HoloLens](https://support.microsoft.com/help/13452/hololens-restart-reset-or-recover-hololens) - [Manage devices running Windows Holographic with Microsoft Intune](https://docs.microsoft.com/intune/windows-holographic-for-business) diff --git a/devices/surface/TOC.md b/devices/surface/TOC.md index 4953d1c2e8..3f99c917af 100644 --- a/devices/surface/TOC.md +++ b/devices/surface/TOC.md @@ -25,6 +25,9 @@ ### [Enroll and configure Surface devices with SEMM](enroll-and-configure-surface-devices-with-semm.md) ### [Unenroll Surface devices from SEMM](unenroll-surface-devices-from-semm.md) ### [Use System Center Configuration Manager to manage devices with SEMM](use-system-center-configuration-manager-to-manage-devices-with-semm.md) +## [Surface Diagnostic Toolkit for Business](surface-diagnostic-toolkit-business.md) +### [Use Surface Diagnostic Toolkit for Business in desktop mode](surface-diagnostic-toolkit-desktop-mode.md) +### [Run Surface Diagnostic Toolkit for Business using commands](surface-diagnostic-toolkit-command-line.md) ## [Surface Data Eraser](microsoft-surface-data-eraser.md) ## [Top support solutions for Surface devices](support-solutions-surface.md) ## [Change history for Surface documentation](change-history-for-surface.md) diff --git a/devices/surface/change-history-for-surface.md b/devices/surface/change-history-for-surface.md index 0e0ff5dcc7..5c34d22900 100644 --- a/devices/surface/change-history-for-surface.md +++ b/devices/surface/change-history-for-surface.md @@ -7,13 +7,22 @@ ms.sitesec: library author: jdeckerms ms.author: jdecker ms.topic: article -ms.date: 10/15/2018 +ms.date: 11/15/2018 --- # Change history for Surface documentation This topic lists new and updated topics in the Surface documentation library. +## November 2018 + +New or changed topic | Description +--- | --- +|[Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md) | Added Surface Pro 6 | +[Surface Diagnostic Toolkit for Business](surface-diagnostic-toolkit-business.md) | New +[Use Surface Diagnostic Toolkit for Business in desktop mode](surface-diagnostic-toolkit-desktop-mode.md) | New +[Run Surface Diagnostic Toolkit for Business using commands](surface-diagnostic-toolkit-command-line.md) | New + ## October 2018 New or changed topic | Description diff --git a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md index 116df9446d..52a92a6ef7 100644 --- a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md +++ b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md @@ -9,7 +9,7 @@ ms.mktglfcycl: deploy ms.pagetype: surface, devices ms.sitesec: library author: brecords -ms.date: 10/15/2018 +ms.date: 11/15/2018 ms.author: jdecker ms.topic: article --- @@ -38,6 +38,16 @@ Recent additions to the downloads for Surface devices provide you with options t >[!NOTE] >A battery charge of 40% or greater is required before you install firmware to a Surface device. See [Microsoft Support article KB2909710](https://go.microsoft.com/fwlink/p/?LinkId=618106) for more information. +## Surface Laptop 2 + +Download the following updates for [Surface Laptop 2 from the Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=57515). +* SurfaceLaptop2_Win10_XXXXX_XXXXXXX_X.msi – Cumulative firmware and driver update package for Windows 10 + +## Surface Pro 6 + +Download the following updates for [Surface Pro 6 from the Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=57514). + +* SurfacePro6_Win10_XXXXX_XXXXXXX_X.msi – Cumulative firmware and driver update package for Windows 10 ## Surface GO @@ -46,29 +56,32 @@ Download the following updates for [Surface GO from the Microsoft Download Cente ## Surface Book 2 - Download the following updates for [Surface Book 2 from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=56261). * SurfaceBook2_Win10_xxxxx_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10 ## Surface Laptop - Download the following updates for [Surface Laptop from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=55489). * SurfaceLaptop_Win10_xxxxx_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10 ## Surface Pro - Download the following updates for [Surface Pro (Model 1796) from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=55484). * SurfacePro_Win10_xxxxx_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10 ## Surface Pro with LTE Advanced - Download the following updates for [Surface Pro with LTE Advanced from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=56278). + * SurfacePro_LTE_Win10_xxxxx_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10 +## Surface Pro 6 + +Download the following updates for [Surface Pro 6 from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=57514). + +* SurfacePro6_Win10_17134_xxxxx_xxxxxx.msi + ## Surface Studio diff --git a/devices/surface/images/sdt-1.png b/devices/surface/images/sdt-1.png new file mode 100644 index 0000000000..fb10753608 Binary files /dev/null and b/devices/surface/images/sdt-1.png differ diff --git a/devices/surface/images/sdt-2.png b/devices/surface/images/sdt-2.png new file mode 100644 index 0000000000..be951967f0 Binary files /dev/null and b/devices/surface/images/sdt-2.png differ diff --git a/devices/surface/images/sdt-3.png b/devices/surface/images/sdt-3.png new file mode 100644 index 0000000000..0d3077cc1b Binary files /dev/null and b/devices/surface/images/sdt-3.png differ diff --git a/devices/surface/images/sdt-4.png b/devices/surface/images/sdt-4.png new file mode 100644 index 0000000000..babddbb240 Binary files /dev/null and b/devices/surface/images/sdt-4.png differ diff --git a/devices/surface/images/sdt-5.png b/devices/surface/images/sdt-5.png new file mode 100644 index 0000000000..5c5346d93a Binary files /dev/null and b/devices/surface/images/sdt-5.png differ diff --git a/devices/surface/images/sdt-6.png b/devices/surface/images/sdt-6.png new file mode 100644 index 0000000000..acf8e684b3 Binary files /dev/null and b/devices/surface/images/sdt-6.png differ diff --git a/devices/surface/images/sdt-7.png b/devices/surface/images/sdt-7.png new file mode 100644 index 0000000000..5e16961c6b Binary files /dev/null and b/devices/surface/images/sdt-7.png differ diff --git a/devices/surface/images/sdt-desk-1.png b/devices/surface/images/sdt-desk-1.png new file mode 100644 index 0000000000..f1ecc03b30 Binary files /dev/null and b/devices/surface/images/sdt-desk-1.png differ diff --git a/devices/surface/images/sdt-desk-2.png b/devices/surface/images/sdt-desk-2.png new file mode 100644 index 0000000000..3d066cb3e5 Binary files /dev/null and b/devices/surface/images/sdt-desk-2.png differ diff --git a/devices/surface/images/sdt-desk-3.png b/devices/surface/images/sdt-desk-3.png new file mode 100644 index 0000000000..bbd9709300 Binary files /dev/null and b/devices/surface/images/sdt-desk-3.png differ diff --git a/devices/surface/images/sdt-desk-4.png b/devices/surface/images/sdt-desk-4.png new file mode 100644 index 0000000000..f533646605 Binary files /dev/null and b/devices/surface/images/sdt-desk-4.png differ diff --git a/devices/surface/images/sdt-desk-5.png b/devices/surface/images/sdt-desk-5.png new file mode 100644 index 0000000000..664828762e Binary files /dev/null and b/devices/surface/images/sdt-desk-5.png differ diff --git a/devices/surface/images/sdt-desk-6.png b/devices/surface/images/sdt-desk-6.png new file mode 100644 index 0000000000..1b9ce9f7e2 Binary files /dev/null and b/devices/surface/images/sdt-desk-6.png differ diff --git a/devices/surface/surface-diagnostic-toolkit-business.md b/devices/surface/surface-diagnostic-toolkit-business.md new file mode 100644 index 0000000000..cfee97e804 --- /dev/null +++ b/devices/surface/surface-diagnostic-toolkit-business.md @@ -0,0 +1,165 @@ +--- +title: Surface Diagnostic Toolkit for Business +description: This topic explains how to use the Surface Diagnostic Toolkit for Business. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: jdeckerms +ms.author: jdecker +ms.topic: article +ms.date: 11/15/2018 +--- + +# Surface Diagnostic Toolkit for Business + +The Microsoft Surface Diagnostic Toolkit for Business (SDT) enables IT administrators to quickly investigate, troubleshoot, and resolve hardware, software, and firmware issues with Surface devices. You can run a range of diagnostic tests and software repairs in addition to obtaining device health insights and guidance for resolving issues. + +Specifically, SDT for Business enables you to: + +- [Customize the package.](#create-custom-sdt) +- [Run the app using commands.](surface-diagnostic-toolkit-command-line.md) +- [Run multiple hardware tests to troubleshoot issues.](surface-diagnostic-toolkit-desktop-mode.md#multiple) +- [Generate logs for analyzing issues.](surface-diagnostic-toolkit-desktop-mode.md#logs) +- [Obtain detailed report comparing device vs optimal configuration.](surface-diagnostic-toolkit-desktop-mode.md#detailed-report) + + +## Primary scenarios and download resources + +To run SDT for Business, download the components listed in the following table. + +>[!NOTE] +>In contrast to the way you typically install MSI packages, the SDT distributable MSI package can only be created by running Windows Installer (MSI.exe) at a command prompt and setting the custom flag `ADMINMODE = 1`. For details, see [Run Surface Diagnostic Toolkit using commands](surface-diagnostic-toolkit-command-line.md). + +Mode | Primary scenarios | Download | Learn more +--- | --- | --- | --- +Desktop mode | Assist users in running SDT on their Surface devices to troubleshoot issues.
Create a custom package to deploy on one or more Surface devices allowing users to select specific logs to collect and analyze. | SDT distributable MSI package
Microsoft Surface Diagnostic Toolkit for Business Installer.MSI
[Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703) | [Use Surface Diagnostic Toolkit in desktop mode](surface-diagnostic-toolkit-desktop-mode.md) +Command line | Directly troubleshoot Surface devices remotely without user interaction, using standard tools such as Configuration Manager. It includes the following commands:
`-DataCollector` collects all log files
`-bpa` runs health diagnostics using Best Practice Analyzer.
`-windowsupdate` checks Windows update for missing firmware or driver updates.

**Note:** Support for the ability to confirm warranty information will be available via the command `-warranty` | SDT console app
Microsoft Surface Diagnostics App Console.exe
[Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703) | [Run Surface Diagnostic Toolkit using commands](surface-diagnostic-toolkit-command-line.md) + +## Supported devices + +SDT for Business is supported on Surface 3 and later devices, including: + +- Surface Pro 6 +- Surface Laptop 2 +- Surface Go +- Surface Go with LTE +- Surface Book 2 +- Surface Pro with LTE Advanced (Model 1807) +- Surface Pro (Model 1796) +- Surface Laptop +- Surface Studio +- Surface Studio 2 +- Surface Book +- Surface Pro 4 +- Surface 3 LTE +- Surface 3 +- Surface Pro 3 + +## Installing Surface Diagnostic Toolkit for Business + +To create an SDT package that you can distribute to users in your organization, you first need to install SDT at a command prompt and set a custom flag to install the tool in admin mode. SDT contains the following install option flags: + +- `SENDTELEMETRY` sends telemetry data to Microsoft. The flag accepts `0` for disabled or `1` for enabled. The default value is `1` to send telemetry. +- `ADMINMODE` configures the tool to be installed in admin mode. The flag accepts `0` for Business client mode or `1` for Business Administrator mode. The default value is `0`. + +**To install SDT in ADMINMODE:** + +1. Sign in to your Surface device using the Administrator account. +2. Download SDT Windows Installer Package (.msi) from the [Surface Tools for IT download page](https://www.microsoft.com/download/details.aspx?id=46703) and copy it to a preferred location on your Surface device, such as Desktop. +3. Open a command prompt and enter: + + ``` + msiexec.exe /i ADMINMODE=1. + ``` + **Example:** + + ``` + C:\Users\Administrator> msiexec.exe/I"C:\Users\Administrator\Desktop\Microsoft_Surface_Diagnostic_Toolkit_for_Business_Installer.msi" ADMINMODE=1 + ``` + +4. The SDT setup wizard appears, as shown in figure 1. Click **Next**. + + >[!NOTE] + >If the setup wizard does not appear, ensure that you are signed into the Administrator account on your computer. + + ![welcome to the Surface Diagnostic Toolkit setup wizard](images/sdt-1.png) + + *Figure 1. Surface Diagnostic Toolkit setup wizard* + +5. When the SDT setup wizard appears, click **Next**, accept the End User License Agreement (EULA), and select a location to install the package. + +6. Click **Next** and then click **Install**. + +## Locating SDT on your Surface device + +Both SDT and the SDT app console are installed at `C:\Program Files\Microsoft\Surface\Microsoft Surface Diagnostic Toolkit for Business`. + +In addition to the .exe file, SDT installs a JSON file and an admin.dll file (modules\admin.dll), as shown in figure 2. + +![list of SDT installed files in File Explorer](images/sdt-2.png) + +*Figure 2. Files installed by SDT* + + +## Preparing the SDT package for distribution + +Creating a custom package allows you to target the tool to specific known issues. + +1. Click **Start > Run**, enter **Surface** and then click **Surface Diagnostic Toolkit for Business**. +2. When the tool opens, click **Create Custom Package**, as shown in figure 3. + + ![Create custom package option](images/sdt-3.png) + + *Figure 3. Create custom package* + +### Language and telemetry page + + +When you start creating the custom package, you’re asked whether you agree to send data to Microsoft to help improve the application. For more information,see the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement). Sharing is on by default, so uncheck the box if you wish to decline. + +>[!NOTE] +>This setting is limited to only sharing data generated while running packages. + +![Select language and telemetry settings](images/sdt-4.png) + +*Figure 4. Select language and telemetry settings* + +### Windows Update page + +Select the option appropriate for your organization. Most organizations with multiple users will typically select to receive updates via Windows Server Update Services (WSUS), as shown in figure 5. If using local Windows update packages or WSUS, enter the path as appropriate. + +![Select Windows Update option](images/sdt-5.png) + +*Figure 5. Windows Update option* + +### Software repair page + +This allows you to select or remove the option to run software repair updates. + +![Select software repair option](images/sdt-6.png) + +*Figure 6. Software repair option* + +### Collecting logs and saving package page + +You can select to run a wide range of logs across applications, drivers, hardware, and the operating system. Click the appropriate area and select from the menu of available logs. You can then save the package to a software distribution point or equivalent location that users can access. + +![Select log options](images/sdt-7.png) + +*Figure 7. Log option and save package* + +## Next steps + +- [Use Surface Diagnostic Toolkit for Business in desktop mode](surface-diagnostic-toolkit-desktop-mode.md) +- [Use Surface Diagnostic Toolkit for Business using commands](surface-diagnostic-toolkit-command-line.md) + + + + + + + + + + + diff --git a/devices/surface/surface-diagnostic-toolkit-command-line.md b/devices/surface/surface-diagnostic-toolkit-command-line.md new file mode 100644 index 0000000000..24e4b2011d --- /dev/null +++ b/devices/surface/surface-diagnostic-toolkit-command-line.md @@ -0,0 +1,143 @@ +--- +title: Run Surface Diagnostic Toolkit for Business using commands +description: How to run Surface Diagnostic Toolkit in a command console +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: jdeckerms +ms.author: jdecker +ms.topic: article +ms.date: 11/15/2018 +--- + +# Run Surface Diagnostic Toolkit for Business using commands + +Running the Surface Diagnostic Toolkit (SDT) at a command prompt requires downloading the STD app console. After it's installed, you can run SDT at a command prompt via the Windows command console (cmd.exe) or using Windows PowerShell, including PowerShell Integrated Scripting Environment (ISE), which provides support for autocompletion of commands, copy/paste, and other features. + +>[!NOTE] +>To run SDT using commands, you must be signed in to the Administrator account or signed in to an account that is a member of the Administrator group on your Surface device. + +## Running SDT app console + +Download and install SDT app console from the [Surface Tools for IT download page](https://www.microsoft.com/download/details.aspx?id=46703). You can use the Windows command prompt (cmd.exe) or Windows PowerShell to: + +- Collect all log files. +- Run health diagnostics using Best Practice Analyzer. +- Check update for missing firmware or driver updates. + +By default, output files are saved to C:\Administrator\user. Refer to the following table for a complete list of commands. + +Command | Notes +--- | --- +-DataCollector "output file" | Collects system details into a zip file. "output file" is the file path to create system details zip file.

**Example**:
`Microsoft.Surface.Diagnostics.App.Console.exe -DataCollector SDT_DataCollection.zip` +-bpa "output file" | Checks several settings and health indicators in the device. “output file" is the file path to create the HTML report.

**Example**:
`Microsoft.Surface.Diagnostics.App.Console.exe -bpa BPA.html` +-windowsupdate | Checks Windows Update online servers for missing firmware and/or driver updates.

**Example**:
Microsoft.Surface.Diagnostics.App.Console.exe -windowsupdate + +>[!NOTE] +>To run the SDT app console remotely on target devices, you can use a configuration management tool such as System Center Configuration Manager. Alternatively, you can create a .zip file containing the console app and appropriate console commands and deploy per your organization’s software distribution processes. + +## Running Best Practice Analyzer + +You can run BPA tests across key components such as BitLocker, Secure Boot, and Trusted Platform Module (TPM) and then output the results to a shareable file. The tool generates a series of tables with color-coded headings and condition descriptors along with guidance about how to approach resolving the issue. + +- Green indicates the component is running in an optimal condition (optimal). +- Orange indicates the component is not running in an optimal condition (not optimal). +- Red indicates the component is in an abnormal state. + +### Sample BPA results output + + + + + + + +
BitLocker
Description:Checks if BitLocker is enabled on the system drive.
Value:Protection On
Condition:Optimal
Guidance:It is highly recommended to enable BitLocker to protect your data.
+ + + + + + + +
Secure Boot
Description:Checks if Secure Boot is enabled.
Value:True
Condition:Optimal
Guidance:It is highly recommended to enable Secure Boot to protect your PC.
+ + + + + + + +
Trusted Platform Module
Description:Ensures that the TPM is functional.
Value:True
Condition:Optimal
Guidance:Without a functional TPM, security-based functions such as BitLocker may not work properly.
+ + + + + + + +
Connected Standby
Description:Checks if Connected Standby is enabled.
Value:True
Condition:Optimal
Guidance:Connected Standby allows a Surface device to receive updates and notifications while not being used. For best experience, Connected Standby should be enabled.
+ + + + + + + +
Bluetooth
Description:Checks if Bluetooth is enabled.
Value:Enabled
Condition:Optimal
Guidance:
+ + + + + + + +
Debug Mode
Description:Checks if the operating system is in Debug mode.
Value:Normal
Condition:Optimal
Guidance:The debug boot option enables or disables kernel debugging of the Windows operating system. Enabling this option can cause system instability and can prevent DRM (digital rights managemend) protected media from playing.
+ + + + + + + +
Test Signing
Description:Checks if Test Signing is enabled.
Value:Normal
Condition:Optimal
Guidance:Test Signing is a Windows startup setting that should only be used to test pre-release drivers.
+ + + + + + + +
Active Power Plan
Description:Checks that the correct power plan is active.
Value:Balanced
Condition:Optimal
Guidance:It is highly recommended to use the "Balanced" power plan to maximize productivity and battery life.
+ + + + + + + +
Windows Update
Description:Checks if the device is up to date with Windows updates.
Value:Microsoft Silverlight (KB4023307), Definition Update for Windows Defender Antivirus - KB2267602 (Definition 1.279.1433.0)
Condition:Not Optimal
Guidance:Updating to the latest windows makes sure you are on the latest firmware and drivers. It is recommended to always keep your device up to date
+ + + + + + + +
Free Hard Drive Space
Description:Checks for low free hard drive space.
Value:66%
Condition:Optimal
Guidance:For best performance, your hard drive should have at least 10% of its capacity as free space.
+ + + + + + + +
Non-Functioning Devices
Description:List of non-functioning devices in Device Manager.
Value:
Condition:Optimal
Guidance:Non-functioning devices in Device Manager may cause unpredictable problems with Surface devices such as, but not limited to, no power savings for the respective hardware component.
+ + + + + + + +
External Monitor
Description:Checks for an external monitor that may have compatibility issues.
Value:
Condition:Optimal
Guidance:Check with the original equipment manufacturer for compatibility with your Surface device.
\ No newline at end of file diff --git a/devices/surface/surface-diagnostic-toolkit-desktop-mode.md b/devices/surface/surface-diagnostic-toolkit-desktop-mode.md new file mode 100644 index 0000000000..ee76845656 --- /dev/null +++ b/devices/surface/surface-diagnostic-toolkit-desktop-mode.md @@ -0,0 +1,99 @@ +--- +title: Use Surface Diagnostic Toolkit for Business in desktop mode +description: How to use SDT to help users in your organization run the tool to identify and diagnose issues with the Surface device. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: jdeckerms +ms.author: jdecker +ms.topic: article +ms.date: 11/15/2018 +--- + +# Use Surface Diagnostic Toolkit for Business in desktop mode + +This topic explains how to use the Surface Diagnostic Toolkit (SDT) to help users in your organization run the tool to identify and diagnose issues with the Surface device. Successfully running SDT can quickly determine if a reported issue is caused by failed hardware or user error. + +1. Direct the user to install [the SDT package](surface-diagnostic-toolkit-business.md#create-custom-sdt) from a software distribution point or network share. After it is installed, you’re ready to guide the user through a series of tests. + +2. Begin at the home page, which allows users to enter a description of the issue, and click **Continue**, as shown in figure 1. + + ![Start SDT in desktop mode](images/sdt-desk-1.png) + + *Figure 1. SDT in desktop mode* + +3. When SDT indicates the device has the latest updates, click **Continue** to advance to the catalog of available tests, as shown in figure 2. + + ![Select from SDT options](images/sdt-desk-2.png) + + *Figure 2. Select from SDT options* + +4. You can choose to run all the diagnostic tests. Or, if you already suspect a particular issue such as a faulty display or a power supply problem, click **Select** to choose from the available tests and click **Run Selected**, as shown in figure 3. See the following table for details of each test. + + ![Select hardware tests](images/sdt-desk-3.png) + + *Figure 3. Select hardware tests* + + Hardware test | Description + --- | --- + Power Supply and Battery | Checks Power supply is functioning optimally + Display and Sound | Checks brightness, stuck or dead pixels, speaker and microphone functioning + Ports and Accessories | Checks accessories, screen attach and USB functioning + Connectivity | Checks Bluetooth, wireless and LTE connectivity + Security | Checks security related issues + Touch | Checks touch related issues + Keyboard and touch | Checks integrated keyboard connection and type cover + Sensors | Checks functioning of different sensors in the device + Hardware | Checks issues with different hardware components such as graphics card and camera + + + + + + +## Running multiple hardware tests to troubleshoot issues + +SDT is designed as an interactive tool that runs a series of tests. For each test, SDT provides instructions summarizing the nature of the test and what users should expect or look for in order for the test to be successful. For example, to diagnose if the display brightness is working properly, SDT starts at zero and increases the brightness to 100 percent, asking users to confirm – by answering **Yes** or **No** -- that brightness is functioning as expected, as shown in figure 4. + +For each test, if functionality does not work as expected and the user clicks **No**, SDT generates a report of the possible causes and ways to troubleshoot it. + +![Running hardware diagnostics](images/sdt-desk-4.png) + +*Figure 4. Running hardware diagnostics* + +1. If the brightness successfully adjusts from 0-100 percent as expected, direct the user to click **Yes** and then click **Continue**. +2. If the brightness fails to adjust from 0-100 percent as expected, direct the user to click **No** and then click **Continue**. +3. Guide users through remaining tests as appropriate. When finished, SDT automatically provides a high-level summary of the report, including the possible causes of any hardware issues along with guidance for resolution. + + +### Repairing applications + +SDT enables you to diagnose and repair applications that may be causing issues, as shown in figure 5. + +![Running repairs](images/sdt-desk-5.png) + +*Figure 5. Running repairs* + + + + + +### Generating logs for analyzing issues + +SDT provides extensive log-enabled diagnosis support across applications, drivers, hardware, and operating system issues, as shown in figure 6. + +![Generating logs](images/sdt-desk-6.png) + +*Figure 6. Generating logs* + + + + +### Generating detailed report comparing device vs. optimal configuration + +Based on the logs, SDT generates a report for software- and firmware-based issues that you can save to a preferred location. + +## Related topics + +- [Run Surface Diagnostic Toolkit for Business using commands](surface-diagnostic-toolkit-command-line.md) + diff --git a/store-for-business/images/msft-accept-partner.png b/store-for-business/images/msft-accept-partner.png new file mode 100644 index 0000000000..6b04d822a4 Binary files /dev/null and b/store-for-business/images/msft-accept-partner.png differ diff --git a/store-for-business/prerequisites-microsoft-store-for-business.md b/store-for-business/prerequisites-microsoft-store-for-business.md index d0c8a17014..618205cdd5 100644 --- a/store-for-business/prerequisites-microsoft-store-for-business.md +++ b/store-for-business/prerequisites-microsoft-store-for-business.md @@ -56,6 +56,7 @@ If your organization restricts computers on your network from connecting to the - windowsphone.com - \*.wns.windows.com - \*.microsoft.com +- \*.s-microsoft.com - www.msftncsi.com (prior to Windows 10, version 1607) - www.msftconnecttest.com/connecttest.txt (replaces www.msftncsi.com starting with Windows 10, version 1607) diff --git a/store-for-business/release-history-microsoft-store-business-education.md b/store-for-business/release-history-microsoft-store-business-education.md index 0b88f3f051..2bcdcd39b9 100644 --- a/store-for-business/release-history-microsoft-store-business-education.md +++ b/store-for-business/release-history-microsoft-store-business-education.md @@ -13,7 +13,7 @@ ms.date: 10/31/2018 # Microsoft Store for Business and Education release history -Microsoft Store for Business and Education regularly releases new and improved feaures. Here's a summary of new or updated features in previous releases. +Microsoft Store for Business and Education regularly releases new and improved features. Here's a summary of new or updated features in previous releases. Looking for info on the latest release? Check out [What's new in Microsoft Store for Business and Education](whats-new-microsoft-store-business-education.md) @@ -24,7 +24,7 @@ Looking for info on the latest release? Check out [What's new in Microsoft Store - **App requests** - People in your organization can make requests for apps that they need. hey can also request them on behalf of other people. Admins review requests and can decide on purchases. [Get more info](https://docs.microsoft.com/microsoft-store/acquire-apps-microsoft-store-for-business#allow-app-requests) ## July 2018 -- Bug fixes and permformance improvements. +- Bug fixes and performance improvements. ## June 2018 - **Change order within private store collection** - Continuing our focus on improvements for private store, now you can customize the order of products in each private store collection. @@ -39,7 +39,7 @@ Looking for info on the latest release? Check out [What's new in Microsoft Store - **Office 365 subscription management** - We know that sometimes customers need to cancel a subscription. While we don't want to lose a customer, we want the process for managing subscriptions to be easy. Now, you can delete your Office 365 subscription without calling Support. From Microsoft Store for Business and Education, you can request to delete an Office 365 subscription. We'll wait three days before permanently deleting the subscription. In case of a mistake, customers are welcome to reactivate subscriptions during the three-day period. ## March 2018 -- **Performance improvements in private store** - We've made it significantly faster for you to udpate the private store. Many changes to the private store are available immediately after you make them. [Get more info](https://docs.microsoft.com/microsoft-store/manage-private-store-settings#private-store-performance) +- **Performance improvements in private store** - We've made it significantly faster for you to update the private store. Many changes to the private store are available immediately after you make them. [Get more info](https://docs.microsoft.com/microsoft-store/manage-private-store-settings#private-store-performance) - **Private store collection updates** - We’ve made it easier to find apps when creating private store collections – now you can search and filter results. [Get more info](https://docs.microsoft.com/microsoft-store/manage-private-store-settings#private-store-collections) - **Manage Skype Communication credits** - Office 365 customers that own Skype Communication Credits can now see and manage them in Microsoft Store for Business. You can view your account, add funds to your account, and manage auto-recharge settings. @@ -53,20 +53,20 @@ Looking for info on the latest release? Check out [What's new in Microsoft Store - **Microsoft Product and Services Agreement customers can invite people to take roles** - MPSA admins can invite people to take Microsoft Store for Business roles even if the person is not in their tenant. You provide an email address when you assign the role, and we'll add the account to your tenant and assign the role. ## December 2017 -- Bug fixes and permformance improvements. +- Bug fixes and performance improvements. ## November 2017 - **Export list of Minecraft: Education Edition users** - Admins and teachers can now export a list of users who have Minecraft: Education Edition licenses assigned to them. Click **Export users**, and Store for Education creates an Excel spreadsheet for you, and saves it as a .csv file. ## October 2017 -- Bug fixes and permformance improvements. +- Bug fixes and performance improvements. ## September 2017 - **Manage Windows device deployment with Windows Autopilot Deployment** - In Microsoft Store for Business, you can manage devices for your organization and apply an Autopilot deployment profile to your devices. When people in your organization run the out-of-box experience on the device, the profile configures Windows, based on the Autopilot deployment profile you applied to the device. [Get more info](add-profile-to-devices.md) -- **Request an app** - People in your organization can reqest additional licenses for apps in your private store, and then Admins or Purchasers can make the purchases. [Get more info](https://docs.microsoft.com/microsoft-store/acquire-apps-microsoft-store-for-business#request-apps) +- **Request an app** - People in your organization can request additional licenses for apps in your private store, and then Admins or Purchasers can make the purchases. [Get more info](https://docs.microsoft.com/microsoft-store/acquire-apps-microsoft-store-for-business#request-apps) - **My organization** - **My organization** shows you all Agreements that apply to your organization. You can also update profile info for you org, such as mailing address and email associated with your account. -- **Manage prepaid Office 365 subscriptions** - Office 365 prepaid subscriptions can be redeemed using a prepaid token. Tokens are available through 3rd-party businesses, outside of Microsoft Store for Business or the Office 365 Admin portal. After redemming prepaid subscriptions, Admins can add more licenses or extend the subscription's expiration date. +- **Manage prepaid Office 365 subscriptions** - Office 365 prepaid subscriptions can be redeemed using a prepaid token. Tokens are available through 3rd-party businesses, outside of Microsoft Store for Business or the Office 365 Admin portal. After redeeming prepaid subscriptions, Admins can add more licenses or extend the subscription's expiration date. - **Manage Office 365 subscriptions acquired by partners** - Office 365 subscriptions purchased for your organization by a partner or reseller can be managed in Microsoft Store for Business. Admins can assign and manage licenses for these subscriptions. - **Edge extensions in Microsoft Store** - Edge Extensions are now available from Microsoft Store! You can acquire and distribute them from Microsoft Store for Business just like any other app. -- **Search results in Microsoft Store for Business** - Search results now have sub categories to help you refine search results. \ No newline at end of file +- **Search results in Microsoft Store for Business** - Search results now have sub categories to help you refine search results. diff --git a/store-for-business/whats-new-microsoft-store-business-education.md b/store-for-business/whats-new-microsoft-store-business-education.md index 39896e6c80..45d4c68486 100644 --- a/store-for-business/whats-new-microsoft-store-business-education.md +++ b/store-for-business/whats-new-microsoft-store-business-education.md @@ -28,7 +28,7 @@ We’ve been working on bug fixes and performance improvements to provide you a |-----------------------|---------------------------------| | ![Private store performance icon](images/perf-improvement-icon.png) |**Performance improvements in private store**

We've made it significantly faster for you to update the private store. Many changes to the private store are available immediately after you make them.

[Get more info](https://docs.microsoft.com/microsoft-store/manage-private-store-settings#private-store-performance)

**Applies to**:
Microsoft Store for Business
Microsoft Store for Education | | | **Manage Windows device deployment with Windows Autopilot Deployment**

In Microsoft Store for Business, you can manage devices for your organization and apply an Autopilot deployment profile to your devices. When people in your organization run the out-of-box experience on the device, the profile configures Windows, based on the Autopilot deployment profile you applied to the device.

[Get more info](add-profile-to-devices.md)

**Applies to**:
Microsoft Store for Business
Microsoft Store for Education | -| ![Microsoft Store for Business Settings page, Distribute tab showing app requests setting.](images/msfb-wn-1709-app-request.png) |**Request an app**

People in your organization can reqest additional licenses for apps in your private store, and then Admins or Purchasers can make the purchases.

[Get more info](https://docs.microsoft.com/microsoft-store/acquire-apps-microsoft-store-for-business#request-apps)

**Applies to**:
Microsoft Store for Business
Microsoft Store for Education | +| ![Microsoft Store for Business Settings page, Distribute tab showing app requests setting.](images/msfb-wn-1709-app-request.png) |**Request an app**

People in your organization can request additional licenses for apps in your private store, and then Admins or Purchasers can make the purchases.

[Get more info](https://docs.microsoft.com/microsoft-store/acquire-apps-microsoft-store-for-business#request-apps)

**Applies to**:
Microsoft Store for Business
Microsoft Store for Education | || ![Image showing Add a Collection.](images/msfb-add-collection.png) |**Private store collections**

You can groups of apps in your private store with **Collections**. This can help you organize apps and help people find apps for their job or classroom.

[Get more info](https://review.docs.microsoft.com/microsoft-store/manage-private-store-settings?branch=msfb-14856406#add-a-collection)

**Applies to**:
Microsoft Store for Business
Microsoft Store for Education | --> @@ -69,7 +69,7 @@ We’ve been working on bug fixes and performance improvements to provide you a - Microsoft Product and Services Agreement customers can invite people to take roles [December 2017](release-history-microsoft-store-business-education.md#december-2017) -- Bug fixes and permformance improvements +- Bug fixes and performance improvements [November 2017](release-history-microsoft-store-business-education.md#november-2017) - Export list of Minecraft: Education Edition users diff --git a/store-for-business/work-with-partner-microsoft-store-business.md b/store-for-business/work-with-partner-microsoft-store-business.md index f364728d57..0f30df6697 100644 --- a/store-for-business/work-with-partner-microsoft-store-business.md +++ b/store-for-business/work-with-partner-microsoft-store-business.md @@ -20,7 +20,7 @@ The process goes like this: - Admins find and contact a solution provider using **Find a solution provider** in Microsoft Store for Business. - Solution providers send a request from Partner center to customers to become their solution provider. - Customers accept the invitation in Microsoft Store for Business and start working with the solution provider. -- Customers can manage setting for the relationship with Partner in Microsoft Store for Business. +- Customers can manage settings for the relationship with Partner in Microsoft Store for Business. ## What can a solution provider do for my organization or school? @@ -59,9 +59,11 @@ The solution provider will get in touch with you. You'll have a chance to learn Once you've found a solution provider and decided to work with them, they'll send you an invitation to work together from Partner Center. In Microsoft Store for Business or Education, you'll need to accept the invitation. After that, you can manage their permissions. **To accept a solution provider invitation** -1. **Follow email link** - You'll receive an email with a link accept the solution provider invitation. The link will take you to Microsoft Store for Business or Education. +1. **Follow email link** - You'll receive an email with a link to accept the solution provider invitation from your solution provider. The link will take you to Microsoft Store for Business or Education. 2. **Accept invitation** - On **Accept Partner Invitation**, select **Authorize** to accept the invitation, accept terms of the Microsoft Cloud Agreement, and start working with the solution provider. - + +![Image shows accepting an invitation from a solution provider in Microsoft Store for Business.](images/msft-accept-partner.png) + ## Delegate admin privileges Depending on the request made by the solution provider, part of accepting the invitation will include agreeing to give delegated admin privileges to the solution provider. This will happen when the solution provider request includes acting as a delegated administrator. For more information, see [Delegated admin privileges in Azure AD](https://docs.microsoft.com/partner-center/customers_revoke_admin_privileges#delegated-admin-privileges-in-azure-ad). @@ -76,4 +78,4 @@ If you delegate admin privileges to a solution provider, you can remove that lat 3. Choose the Partner you want to manage. 4. Select **Remove Delegated Permissions**. -The solution provider will still be able to work with you, for example, as a Reseller. \ No newline at end of file +The solution provider will still be able to work with you, for example, as a Reseller. diff --git a/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md b/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md index 2da4a3b2f6..5a78399b06 100644 --- a/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md +++ b/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md @@ -16,7 +16,7 @@ To install the management server on a standalone computer and connect it to the 1. Copy the App-V server installation files to the computer on which you want to install it on. To start the App-V server installation, run **appv\_server\_setup.exe** as an administrator, then select **Install**. 2. On the **Getting Started** page, review and accept the license terms, then select **Next**. -3. On the **Use Microsoft Update to help keep your computer secure and up-to-date** page, to enable Microsoft Udpate, select **Use Microsoft Update when I check for updates (recommended)**. To disable Microsoft Update, select **I don’t want to use Microsoft Update**, then select **Next**. +3. On the **Use Microsoft Update to help keep your computer secure and up-to-date** page, to enable Microsoft Update, select **Use Microsoft Update when I check for updates (recommended)**. To disable Microsoft Update, select **I don’t want to use Microsoft Update**, then select **Next**. 4. On the **Feature Selection** page, select the **Management Server** checkbox, then select **Next**. 5. On the **Installation Location** page, accept the default location, then select **Next**. 6. On the **Configure Existing Management Database** page, select **Use a remote SQL Server**, then enter the computer running Microsoft SQL's machine name, such as ```SqlServerMachine```. diff --git a/windows/client-management/TOC.md b/windows/client-management/TOC.md index 93b1e53290..836382c673 100644 --- a/windows/client-management/TOC.md +++ b/windows/client-management/TOC.md @@ -14,6 +14,8 @@ ## [Troubleshoot Windows 10 clients](windows-10-support-solutions.md) ### [Data collection for troubleshooting 802.1x Authentication](data-collection-for-802-authentication.md) ### [Advanced troubleshooting 802.1x authentication](advanced-troubleshooting-802-authentication.md) +### [Advanced troubleshooting for Windows boot problems](advanced-troubleshooting-boot-problems.md) ### [Advanced troubleshooting Wireless Network Connectivity](advanced-troubleshooting-wireless-network-connectivity.md) +### [Advanced troubleshooting for Windows-based computer freeze issues](troubleshoot-windows-freeze.md) ## [Mobile device management for solution providers](mdm/index.md) ## [Change history for Client management](change-history-for-client-management.md) diff --git a/windows/client-management/advanced-troubleshooting-boot-problems.md b/windows/client-management/advanced-troubleshooting-boot-problems.md new file mode 100644 index 0000000000..207d12b5d3 --- /dev/null +++ b/windows/client-management/advanced-troubleshooting-boot-problems.md @@ -0,0 +1,389 @@ +--- +title: Advanced troubleshooting for Windows boot problems +description: Learn how to troubleshoot when Windows is unable to boot +ms.prod: w10 +ms.sitesec: library +author: kaushika-msft +ms.localizationpriority: medium +ms.author: elizapo +ms.date: 11/16/2018 +--- + +# Advanced troubleshooting for Windows boot problems + +>[!NOTE] +>This article is intended for use by support agents and IT professionals. If you're looking for more general information about recovery options, see [Recovery options in Windows 10](https://support.microsoft.com/help/12415). + +## Summary + +There are several reasons why a Windows-based computer may have problems during startup. To troubleshoot boot problems, first determine in which of the following phases the computer gets stuck: + +| **Phase** | **Boot Process** | **BIOS** | **UEFI** | +|--------|----------------------|------------------------------| | +| 1 | PreBoot | MBR/PBR (Bootstrap Code) | UEFI Firmware | +| 2 | Windows Boot Manager | %SystemDrive%\bootmgr | \EFI\Microsoft\Boot\bootmgfw.efi | +| 3 | Windows OS Loader | %SystemRoot%\system32\winload.exe | %SystemRoot%\system32\winload.efi | +| 4 | Windows NT OS Kernel | %SystemRoot%\system32\ntoskrnl.exe | | + + +**1. PreBoot** + +The PC’s firmware initiates a Power-On Self Test (POST) and loads firmware settings. This pre-boot process ends when a valid system disk is detected. Firmware reads the master boot record (MBR), and then starts Windows Boot +Manager. + +**2. Windows Boot Manager** + +Windows Boot Manager finds and starts the Windows loader (Winload.exe) on the Windows boot partition. + +**3. Windows operating system loader** + +Essential drivers required to start the Windows kernel are loaded and the kernel starts to run. + +**4. Windows NT OS Kernel** + +The kernel loads into memory the system registry hive and additional drivers that are marked as BOOT_START. + +The kernel passes control to the session manager process (Smss.exe) which initializes the system session, and loads and starts the devices and drivers that are not marked BOOT_START. + +Here is a summary of the boot sequence, what will be seen on the display, and typical boot problems at that point in the sequence. Before starting troubleshooting, you have to understand the outline of the boot process and display status to ensure that the issue is properly identified at the beginning of the engagement. + +![thumbnail of boot sequence flowchart](images/boot-sequence-thumb.png)
+[Click to enlarge](img-boot-sequence.md)
+ + + + +Each phase has a different approach to troubleshooting. This article provides troubleshooting techniques for problems that occur during the first three phases. + +>[!NOTE] +>If the computer repeatedly boots to the recovery options, run the following command at a command prompt to break the cycle: +> +>`Bcdedit /set {default} recoveryenabled no` +> +>If the F8 options don't work, run the following command: +> +>`Bcdedit /set {default} bootmenupolicy legacy` + + +## BIOS phase + +To determine whether the system has passed the BIOS phase, follow these steps: + +1. If there are any external peripherals connected to the computer, disconnect them. +2. Check whether the hard disk drive light on the physical computer is working. If it is not working, this indicates that the startup process is stuck at the BIOS phase. +3. Press the NumLock key to see whether the indicator light toggles on and off. If it does not, this indicates that the startup process is stuck at BIOS. + +If the system is stuck at the BIOS phase, there may be a hardware problem. + +## Boot loader phase + +If the screen is completely black except for a blinking cursor, or if you receive one of the following error codes, this indicates that the boot process is stuck in the Boot Loader phase: + +- Boot Configuration Data (BCD) missing or corrupted +- Boot file or MBR corrupted +- Operating system Missing +- Boot sector missing or corrupted +- Bootmgr missing or corrupted +- Unable to boot due to system hive missing or corrupted + +To troubleshoot this problem, use Windows installation media to start the computer, press Shift+F10 for a command prompt, and then use any of the following methods. + + +### Method 1: Startup Repair tool + +The Startup Repair tool automatically fixes many common problems. The tool also lets you quickly diagnose and repair more complex startup problems. When the computer detects a startup problem, the computer starts the Startup Repair tool. When the tool starts, it performs diagnostics. These diagnostics include analyzing startup log files to determine the cause of the problem. When the Startup Repair tool determines the cause, the tool tries to fix the problem automatically. + +To do this, follow these steps. + +>[!NOTE] +>For additional methods to start WinRE, see [Entry points into WinRE](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference#span-identrypointsintowinrespanspan-identrypointsintowinrespanspan-identrypointsintowinrespanentry-points-into-winre). + +1. Start the system to the installation media for the installed version of Windows. + **Note** For more information, see [Create installation media for Windows](https://support.microsoft.com/help/15088). + +2. On the **Install Windows** screen, select **Next** > **Repair your computer**. + +3. On the **System Recovery Options** screen, select **Next** > **Command Prompt**. + +4. After Startup Repair, select **Shutdown**, then turn on your PC to see if Windows can boot properly. + +The Startup Repair tool generates a log file to help you understand the startup problems and the repairs that were made. You can find the log file in the following location: + +**%windir%\System32\LogFiles\Srt\Srttrail.txt** + + +For more information see, [A Stop error occurs, or the computer stops responding when you try to start Windows Vista or Windows 7](https://support.microsoft.com/help/925810/a-stop-error-occurs-or-the-computer-stops-responding-when-you-try-to-s) + + +### Method 2: Repair Boot Codes + +To repair boot codes, run the following command: + +```dos +BOOTREC /FIXMBR +``` + +To repair the boot sector, run the following command: + +```dos +BOOTREC /FIXBOOT +``` + +>[!NOTE] +>Running **BOOTREC** together with **Fixmbr** overwrites only the master boot code. If the corruption in the MBR affects the partition table, running **Fixmbr** may not fix the problem. + +### Method 3: Fix BCD errors + +If you receive BCD-related errors, follow these steps: + +1. Scan for all the systems that are installed. To do this, run the following command: + ```dos + Bootrec /ScanOS + ``` + +2. Restart the computer to check whether the problem is fixed. + +3. If the problem is not fixed, run the following command: + ```dos + Bootrec /rebuildbcd + ``` + +4. You might receive one of the following outputs: + + - Scanning all disks for Windows installations. Please wait, since this may take a while...Successfully scanned Windows installations. Total identified Windows installations: 0 + The operation completed successfully. + + - Scanning all disks for Windows installations. Please wait, since this may take a while... Successfully scanned Windows installations. Total identified Windows installations: 1 + D:\Windows + Add installation to boot list? Yes/No/All: + +If the output shows **windows installation: 0**, run the following commands: + +```dos +bcdedit /export c:\bcdbackup + +attrib c:\\boot\\bcd -h -r –s + +ren c:\\boot\\bcd bcd.old + +bootrec /rebuildbcd +``` + +After you run the command, you receive the following output: + + Scanning all disks for Windows installations. Please wait, since this may take a while...Successfully scanned Windows installations. Total identified Windows installations: 1{D}:\Windows +Add installation to boot list? Yes/No/All: Y + +5. Try again to start the system. + +### Method 4: Replace Bootmgr + +If methods 1 and 2 do not fix the problem, replace the Bootmgr file from drive C to the System Reserved partition. To do this, follow these steps: + +1. At a command prompt, change the directory to the System Reserved partition. + +2. Run the **attrib** command to unhide the file: + ```dos + attrib-s -h -r + ``` + +3. Run the same **attrib** command on the Windows (system drive): + ```dos + attrib-s -h –r + ``` + +4. Rename the Bootmgr file as Bootmgr.old: + ```dos + ren c:\\bootmgr bootmgr.old + ``` + +5. Start a text editor, such as Notepad. + +6. Navigate to the system drive. + +7. Copy the Bootmgr file, and then paste it to the System Reserved partition. + +8. Restart the computer. + +### Method 5: Restore System Hive + +If Windows cannot load the system registry hive into memory, you must restore the system hive. To do this, use the Windows Recovery Environment or use Emergency Repair Disk (ERD) to copy the files from the C:\Windows\System32\config\RegBack to C:\Windows\System32\config. + +If the problem persists, you may want to restore the system state backup to an alternative location, and then retrieve the registry hives to be replaced. + + +## Kernel Phase + +If the system gets stuck during the kernel phase, you experience multiple symptoms or receive multiple error messages. These include, but are not limited to, the following: + +- A Stop error appears after the splash screen (Windows Logo screen). + +- Specific error code is displayed. + For example, "0x00000C2" , "0x0000007B" , "inaccessible boot device" and so on. + (To troubleshoot the 0x0000007B error, see [Error code INACCESSIBLE_BOOT_DEVICE (STOP 0x7B)](https://internal.support.services.microsoft.com/help/4343769/troubleshooting-guide-for-windows-boot-problems#0x7bstoperror)) + +- The screen is stuck at the "spinning wheel" (rolling dots) "system busy" icon. + +- A black screen appears after the splash screen. + +To troubleshoot these problems, try the following recovery boot options one at a time. + +**Scenario 1: Try to start the computer in Safe mode or Last Known Good Configuration** + +On the **Advanced Boot Options** screen, try to start the computer in **Safe Mode** or **Safe Mode with Networking**. If either of these options works, use Event Viewer to help identify and diagnose the cause of the boot problem. To view events that are recorded in the event logs, follow these steps: + +1. Use one of the following methods to open Event Viewer: + + - Click **Start**, point to **Administrative Tools**, and then click + **Event Viewer**. + + - Start the Event Viewer snap-in in Microsoft Management Console (MMC). + +2. In the console tree, expand Event Viewer, and then click the log that you + want to view. For example, click **System log** or **Application log**. + +3. In the details pane, double-click the event that you want to view. + +4. On the **Edit** menu, click **Copy**, open a new document in the program in + which you want to paste the event (for example, Microsoft Word), and then + click **Paste**. + +5. Use the Up Arrow or Down Arrow key to view the description of the previous + or next event. + + +### Clean boot + +To troubleshoot problems that affect services, do a clean boot by using System Configuration (msconfig). +Select **Selective startup** to test the services one at a time to determine which one is causing the problem. If you cannot find the cause, try including system services. However, in most cases, the problematic service is third-party. + +Disable any service that you find to be faulty, and try to start the computer again by selecting **Normal startup**. + +For detailed instructions, see [How to perform a clean boot in Windows](https://support.microsoft.com/help/929135/how-to-perform-a-clean-boot-in-windows). + +If the computer starts in Disable Driver Signature mode, start the computer in Disable Driver Signature Enforcement mode, and then follow the steps that are documented in the following article to determine which drivers or files require driver signature enforcement: +[Troubleshooting boot problem caused by missing driver signature (x64)](https://blogs.technet.microsoft.com/askcore/2012/04/15/troubleshooting-boot-issues-due-to-missing-driver-signature-x64/) + +>[!NOTE] +>If the computer is a domain controller, try Directory Services Restore mode (DSRM). +> +>This method is an important step if you encounter Stop error "0xC00002E1" or "0xC00002E2" + + +**Examples** + +>[!WARNING] +>Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these +problems can be solved. Modify the registry at your own risk. + +*Error code INACCESSIBLE_BOOT_DEVICE (STOP 0x7B)* + +To troubleshoot this Stop error, follow these steps to filter the drivers: + +1. Go to Window Recovery Environment (WinRE) by putting an ISO disk of the system in the disk drive. The ISO should be of same version of Windows or a later version. + +2. Open the registry. + +3. Load the system hive, and name it as "test." + +4. Under the following registry subkey, check for lower filter and upper filter items for Non-Microsoft Drivers: + + **HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Class** + +5. For each third-party driver that you locate, click the upper or lower filter, and then delete the value data. + +6. Search through the whole registry for similar items. Process as an appropriate, and then unload the registry hive. + +7. Restart the server in Normal mode. + +For additional troubleshooting steps, see the following articles: + +- [Troubleshooting a Stop 0x7B in Windows](https://blogs.technet.microsoft.com/askcore/2013/08/05/troubleshooting-a-stop-0x7b-in-windows/) + +- [Advanced troubleshooting for "Stop error code 0x0000007B (INACCESSIBLE_BOOT_DEVICE)" errors in Windows XP](https://internal.support.services.microsoft.com/help/324103). + +To fix problems that occur after you install Windows updates, check for pending updates by using these steps: + +1. Open a Command Prompt winodw in WinRE. + +2. Run the command: + ```dos + dism /image:C:\ /get-packages + ``` + +3. If there are any pending updates, uninstall them by running the following commands: + ```dos + DISM /image:C:\ /remove-package /packagename: name of the package + ``` + ```dos + Dism /Image:C:\ /Cleanup-Image /RevertPendingActions + ``` + +Try to start the computer. + +If the computer does not start, follow these steps: + +1. Open A Command Prompt window in WinRE, and start a text editor, such as Notepad. + +2. Navigate to the system drive, and search for windows\winsxs\pending.xml. + +3. If the Pending.xml file is found, rename the file as Pending.xml.old. + +4. Open the registry, and then load the component hive in HKEY_LOCAL_MACHINE as a test. + +5. Highlight the loaded test hive, and then search for the **pendingxmlidentifier** value. + +6. If the **pendingxmlidentifier** value exists, delete the value. + +7. Unload the test hive. + +8. Load the system hive, name it as "test". + +9. Navigate to the following subkey: + + **HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\TrustedInstaller** + +10. Change the **Start** value from **1** to **4** + +11. Unload the hive. + +12. Try to start the computer. + +If the Stop error occurs late in the startup process, or if the Stop error is still being generated, you can capture a memory dump. A good memory dump can help determine the root cause of the Stop error. For details, see the following Knowledge Base article: + +- [969028](https://support.microsoft.com/help/969028) How to generate a kernel or a complete memory dump file in Windows Server 2008 and Windows Server 2008 R2 + +For more information about page file problems in Windows 10 or Windows Server 2016, see the following Knowledge Base article: + +- [4133658](https://support.microsoft.com/help/4133658) Introduction of page file in Long-Term Servicing Channel and Semi-Annual Channel of Windows + +For more information about Stop errors, see the following Knowledge Base article: + +- [3106831](https://support.microsoft.com/help/3106831) Troubleshooting Stop error problems for IT Pros + + +If the dump file shows an error that is related to a driver (for example, windows\system32\drivers\stcvsm.sys is missing or corrupted), follow these guidelines: + +- Check the functionality that is provided by the driver. If the driver is a third-party boot driver, make sure that you understand what it does. + +- If the driver is not important and has no dependencies, load the system hive, and then disable the driver. + +- If the stop error indicates system file corruption, run the system file checker in offline mode. + - To do this, open WinRE, open a command prompt, and then run the following command: + ```dos + SFC /Scannow /OffBootDir=C:\ /OffWinDir=E:\Windows + ``` + For more information, see [Using System File Checker (SFC) To Fix Issues](https://blogs.technet.microsoft.com/askcore/2007/12/18/using-system-file-checker-sfc-to-fix-issues/) + + - If there is disk corruption, run the check disk command: + ```dos + chkdsk /f /r + ``` + + - If the Stop error indicates general registry corruption, or if you believe that new drivers or services were installed, follow these steps: + + 1. Start WinRE, and open a Command Prompt window. + 2. Start a text editor, such as Notepad. + 3. Navigate to C\Windows\System32\Config\. + 4. Rename the all five hives by appending ".old" to the name. + 5. Copy all the hives from the Regback folder, paste them in the Config folder, and then try to start the computer in Normal mode. diff --git a/windows/client-management/change-history-for-client-management.md b/windows/client-management/change-history-for-client-management.md index f5b708473d..9bf3c3a404 100644 --- a/windows/client-management/change-history-for-client-management.md +++ b/windows/client-management/change-history-for-client-management.md @@ -16,6 +16,12 @@ ms.date: 09/12/2017 This topic lists new and updated topics in the [Client management](index.md) documentation for Windows 10 and Windows 10 Mobile. +## November 2018 + +New or changed topic | Description +--- | --- + [Advanced troubleshooting for Windows-based computer freeze issues](troubleshoot-windows-freeze.md) | New + ## RELEASE: Windows 10, version 1709 The topics in this library have been updated for Windows 10, version 1709 (also known as the Fall Creators Update). diff --git a/windows/client-management/data-collection-for-802-authentication.md b/windows/client-management/data-collection-for-802-authentication.md index aea4ddbb30..f8a9d1a2c6 100644 --- a/windows/client-management/data-collection-for-802-authentication.md +++ b/windows/client-management/data-collection-for-802-authentication.md @@ -14,538 +14,371 @@ ms.date: 10/29/2018 # Data Collection for Troubleshooting 802.1x Authentication -## Steps to capture Wireless/Wired functionality logs - +## Capture wireless/wired functionality logs + +Use the following steps to collect wireless and wired logs on Windows and Windows Server: + 1. Create C:\MSLOG on the client machine to store captured logs. -2. Launch a command prompt as an administrator on the client machine, and run the following commands to start RAS trace log and Wireless/Wired scenario log: +2. Launch a command prompt as an administrator on the client machine, and run the following commands to start RAS trace log and Wireless/Wired scenario log. -**On Windows 8.1, Windows 10 Wireless Client** + **Wireless Windows 8.1 and Windows 10:** -```dos -netsh ras set tracing * enabled -``` -```dos -netsh trace start scenario=wlan,wlan\_wpp,wlan\_dbg,wireless\_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wireless\_cli.etl -``` + ``` + netsh ras set tracing * enabled + netsh trace start scenario=wlan,wlan\_wpp,wlan\_dbg,wireless\_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wireless\_cli.etl + ``` -**On Windows 7, Winodws 8 Wireless Client** -```dos -netsh ras set tracing * enabled -``` -```dos -netsh trace start scenario=wlan,wlan\_wpp,wlan\_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wireless\_cli.etl -``` + **Wireless Windows 7 and Windows 8:** + ``` + netsh ras set tracing * enabled + netsh trace start scenario=wlan,wlan\_wpp,wlan\_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wireless\_cli.etl + ``` -**On Wired network client** - -```dos -netsh ras set tracing * enabled -``` -```dos -netsh trace start scenario=lan globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wired\_cli.etl -``` + **Wired client, regardless of version** + ``` + netsh ras set tracing * enabled + netsh trace start scenario=lan globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wired\_cli.etl + ``` -3. Run the followind command to enable CAPI2 logging: - -```dos -wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:true -``` +3. Run the following command to enable CAPI2 logging: + + ``` + wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:true + ``` 4. Create C:\MSLOG on the NPS to store captured logs. 5. Launch a command prompt as an administrator on the NPS and run the following commands to start RAS trace log and Wireless/Wired scenario log: -**On Windows Server 2012 R2, Windows Server 2016 Wireless network** + **Windows Server 2012 R2, Windows Server 2016 wireless network:** - ```dos - netsh ras set tracing * enabled ``` - ```dos - netsh trace start scenario=wlan,wlan\_wpp,wlan\_dbg,wireless\_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wireless\_nps.etl + netsh ras set tracing * enabled + netsh trace start scenario=wlan,wlan\_wpp,wlan\_dbg,wireless\_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wireless\_nps.etl ``` -**On Windows Server 2008 R2, Winodws Server 2012 Wireless network** + **Windows Server 2008 R2, Windows Server 2012 wireless network** - ```dos - netsh ras set tracing * enabled ``` - ```dos - netsh trace start scenario=wlan,wlan\_wpp,wlan\_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wireless\_nps.etl + netsh ras set tracing * enabled + netsh trace start scenario=wlan,wlan\_wpp,wlan\_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wireless\_nps.etl ``` -**On wired network** + **Wired network** - ```dos - netsh ras set tracing * enabled ``` - ```dos - netsh trace start scenario=lan globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wired\_nps.etl + netsh ras set tracing * enabled + netsh trace start scenario=lan globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wired\_nps.etl ``` -6. Run the followind command to enable CAPI2 logging: +6. Run the following command to enable CAPI2 logging: - ```dos + ``` wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:true ``` - 7. Run the following command from the command prompt on the client machine and start PSR to capture screen images: - -> [!NOTE] -> When the mouse button is clicked, the cursor will blink in red while capturing a screen image. + > [!NOTE] + > When the mouse button is clicked, the cursor will blink in red while capturing a screen image. - ```dos + ``` psr /start /output c:\MSLOG\%computername%\_psr.zip /maxsc 100 ``` - 8. Repro the issue. - -9. Run the following command on the client machine to stop the PSR capturing: +9. Run the following command on the client PC to stop the PSR capturing: - ```dos - psr /stop - ``` + ``` + psr /stop + ``` 10. Run the following commands from the command prompt on the NPS. -**Stopping RAS trace log and Wireless scenario log** + - To stop RAS trace log and wireless scenario log: - ```dos - netsh trace stop - ``` - ```dos - netsh ras set tracing * disabled - ``` - -**Disabling and copying CAPI2 log** + ``` + netsh trace stop + netsh ras set tracing * disabled + ``` + - To disable and copy CAPI2 log: - ```dos - wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:false - ``` - ```dos - wevtutil.exe epl Microsoft-Windows-CAPI2/Operational C:\MSLOG\CAPI2\_%COMPUTERNAME%.evtx - ``` + ``` + wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:false + wevtutil.exe epl Microsoft-Windows-CAPI2/Operational C:\MSLOG\CAPI2\_%COMPUTERNAME%.evtx + ``` -11. Run the following commands from the prompt on the client machine. +11. Run the following commands on the client PC. + - To stop RAS trace log and wireless scenario log: + ``` + netsh trace stop + netsh ras set tracing * disabled + ``` -**Stopping RAS trace log and Wireless scenario log** + - To disable and copy the CAPI2 log: + ``` + wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:false + wevtutil.exe epl Microsoft-Windows-CAPI2/Operational C:\MSLOG\CAPI2\_%COMPUTERNAME%.evtx + ``` + +12. Save the following logs on the client and the NPS: + + **Client** + - C:\MSLOG\%computername%_psr.zip + - C:\MSLOG\CAPI2_%COMPUTERNAME%.evtx + - C:\MSLOG\%COMPUTERNAME%_wireless_cli.etl + - C:\MSLOG\%COMPUTERNAME%_wireless_cli.cab + - All log files and folders in %Systemroot%\Tracing + + **NPS** + - C:\MSLOG\%COMPUTERNAME%_CAPI2.evtx + - C:\MSLOG\%COMPUTERNAME%_wireless_nps.etl (%COMPUTERNAME%_wired_nps.etl for wired scenario) + - C:\MSLOG\%COMPUTERNAME%_wireless_nps.cab (%COMPUTERNAME%_wired_nps.cab for wired scenario) + - All log files and folders in %Systemroot%\Tracing - ```dos - netsh trace stop - ``` - ```dos - netsh ras set tracing * disabled - ``` - -**Disabling and copying CAPI2 log** +## Save environmental and configuration information + +### On Windows client - ```dos - wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:false - ``` - ```dos - wevtutil.exe epl Microsoft-Windows-CAPI2/Operational C:\MSLOG\CAPI2\_%COMPUTERNAME%.evtx - ``` - -12. Save the following logs on the client and the NPS. - -**Client** - - C:\MSLOG\%computername%_psr.zip - - C:\MSLOG\CAPI2_%COMPUTERNAME%.evtx - - C:\MSLOG\%COMPUTERNAME%_wireless_cli.etl - - C:\MSLOG\%COMPUTERNAME%_wireless_cli.cab - - All log files and folders in %Systemroot%\Tracing - -**NPS** - - C:\MSLOG\%COMPUTERNAME%_CAPI2.evtx - - C:\MSLOG\%COMPUTERNAME%_wireless_nps.etl (%COMPUTERNAME%_wired_nps.etl for wired scenario) - - C:\MSLOG\%COMPUTERNAME%_wireless_nps.cab (%COMPUTERNAME%_wired_nps.cab for wired scenario) - - All log files and folders in %Systemroot%\Tracing - - -### Steps to save environmental / configuration information - -**Client** 1. Create C:\MSLOG to store captured logs. 2. Launch a command prompt as an administrator. 3. Run the following commands. - - Environmental information and Group Policies application status - ```dos - gpresult /H C:\MSLOG\%COMPUTERNAME%\_gpresult.htm - - msinfo32 /report c:\MSLOG\%COMPUTERNAME%\_msinfo32.txt - - ipconfig /all > c:\MSLOG\%COMPUTERNAME%\_ipconfig.txt - - route print > c:\MSLOG\%COMPUTERNAME%\_route\_print.txt - ``` - -**Event logs** - -**Run the following command on Windows 8 and above ** -```dos -wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-System\_Operational.evtx - -wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-User\_Operational.evtx - -wevtutil epl Microsoft-Windows-CertificateServices-Deployment/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServices-Deployment\_Operational.evtx -``` - -```dos -wevtutil epl Application c:\MSLOG\%COMPUTERNAME%\_Application.evtx - -wevtutil epl System c:\MSLOG\%COMPUTERNAME%\_System.evtx - -wevtutil epl Security c:\MSLOG\%COMPUTERNAME%\_Security.evtx - -wevtutil epl Microsoft-Windows-GroupPolicy/Operational C:\MSLOG\%COMPUTERNAME%\_GroupPolicy\_Operational.evtx - -wevtutil epl "Microsoft-Windows-WLAN-AutoConfig/Operational" c:\MSLOG\%COMPUTERNAME%\_Microsoft-Windows-WLAN-AutoConfig-Operational.evtx - -wevtutil epl "Microsoft-Windows-Wired-AutoConfig/Operational" c:\MSLOG\%COMPUTERNAME%\_Microsoft-Windows-Wired-AutoConfig-Operational.evtx - -wevtutil epl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-CredentialRoaming\_Operational.evtx - -wevtutil epl Microsoft-Windows-CertPoleEng/Operational c:\MSLOG\%COMPUTERNAME%\_CertPoleEng\_Operational.evtx -``` - -**Certificates Store information** - -```dos -certutil.exe -v -silent -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-Personal-Registry.txt - -certutil.exe -v -silent -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-Registry.txt - -certutil.exe -v -silent -store -grouppolicy ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-GroupPolicy.txt - -certutil.exe -v -silent -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_TrustedRootCA-Enterprise.txt - -certutil.exe -v -silent -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Reg.txt - -certutil.exe -v -silent -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-GroupPolicy.txt - -certutil.exe -v -silent -store -enterprise TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Enterprise.txt - -certutil.exe -v -silent -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-Registry.txt - -certutil.exe -v -silent -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-GroupPolicy.txt - -certutil.exe -v -silent -store -enterprise CA > c:\MSLOG\%COMPUTERNAME%\_cert-Intermediate-Enterprise.txt - -certutil.exe -v -silent -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Registry.txt - -certutil.exe -v -silent -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-GroupPolicy.txt - -certutil.exe -v -silent -store -enterprise AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Enterprise.txt - -certutil.exe -v -silent -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Registry.txt - -certutil.exe -v -silent -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-GroupPolicy.txt - -certutil.exe -v -silent -store -enterprise SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Enterprise.txt - -certutil.exe -v -silent -store -enterprise NTAUTH > c:\MSLOG\%COMPUTERNAME%\_cert-NtAuth-Enterprise.txt - -certutil.exe -v -silent -user -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-User-Personal-Registry.txt - -certutil.exe -v -silent -user -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Registry.txt - -certutil.exe -v -silent -user -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Enterprise.txt - -certutil.exe -v -silent -user -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-Registry.txt - -certutil.exe -v -silent -user -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-GroupPolicy.txt - -certutil.exe -v -silent -user -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-Registry.txt - -certutil.exe -v -silent -user -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-GroupPolicy.txt - -certutil.exe -v -silent -user -store Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-Registry.txt - -certutil.exe -v -silent -user -store -grouppolicy Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-GroupPolicy.txt - -certutil.exe -v -silent -user -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-Registry.txt - -certutil.exe -v -silent -user -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-GroupPolicy.txt - -certutil.exe -v -silent -user -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-Registry.txt - -certutil.exe -v -silent -user -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-GroupPolicy.txt - -certutil.exe -v -silent -user -store UserDS > c:\MSLOG\%COMPUTERNAME%\_cert-User-UserDS.txt -``` - -**Wireless LAN Client information** -```dos -netsh wlan show all > c:\MSLOG\%COMPUTERNAME%\_wlan\_show\_all.txt - -netsh wlan export profile folder=c:\MSLOG\ -``` - -**Wired LAN Client information** -```dos -netsh lan show all > c:\MSLOG\%COMPUTERNAME%\_lan\_show\_all.txt - -netsh lan export profile folder=c:\MSLOG\ -``` - -4. Save the logs stored in C:\MSLOG. - - -**NPS** - 1. Create C:\MSLOG to store captured logs. - 2. Launch a command prompt as an administrator. - 3. Run the following commands: - - **Environmental information and Group Policies application status** - - ```dos - gpresult /H C:\MSLOG\%COMPUTERNAME%\_gpresult.txt - + - Environmental information and Group Policies application status + + ``` + gpresult /H C:\MSLOG\%COMPUTERNAME%\_gpresult.htm + msinfo32 /report c:\MSLOG\%COMPUTERNAME%\_msinfo32.txt + ipconfig /all > c:\MSLOG\%COMPUTERNAME%\_ipconfig.txt + route print > c:\MSLOG\%COMPUTERNAME%\_route\_print.txt + ``` + - Event logs + + ``` + wevtutil epl Application c:\MSLOG\%COMPUTERNAME%\_Application.evtx + wevtutil epl System c:\MSLOG\%COMPUTERNAME%\_System.evtx + wevtutil epl Security c:\MSLOG\%COMPUTERNAME%\_Security.evtx + wevtutil epl Microsoft-Windows-GroupPolicy/Operational C:\MSLOG\%COMPUTERNAME%\_GroupPolicy\_Operational.evtx + wevtutil epl "Microsoft-Windows-WLAN-AutoConfig/Operational" c:\MSLOG\%COMPUTERNAME%\_Microsoft-Windows-WLAN-AutoConfig-Operational.evtx + wevtutil epl "Microsoft-Windows-Wired-AutoConfig/Operational" c:\MSLOG\%COMPUTERNAME%\_Microsoft-Windows-Wired-AutoConfig-Operational.evtx + wevtutil epl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-CredentialRoaming\_Operational.evtx + wevtutil epl Microsoft-Windows-CertPoleEng/Operational c:\MSLOG\%COMPUTERNAME%\_CertPoleEng\_Operational.evtx + ``` + - For Windows 8 and later, also run these commands for event logs: + + ``` + wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-System\_Operational.evtx + wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-User\_Operational.evtx + wevtutil epl Microsoft-Windows-CertificateServices-Deployment/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServices-Deployment\_Operational.evtx + ``` + - Certificates Store information: + + ``` + certutil.exe -v -silent -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-Personal-Registry.txt + certutil.exe -v -silent -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-Registry.txt + certutil.exe -v -silent -store -grouppolicy ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-GroupPolicy.txt + certutil.exe -v -silent -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_TrustedRootCA-Enterprise.txt + certutil.exe -v -silent -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Reg.txt + certutil.exe -v -silent -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-GroupPolicy.txt + certutil.exe -v -silent -store -enterprise TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Enterprise.txt + certutil.exe -v -silent -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-Registry.txt + certutil.exe -v -silent -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-GroupPolicy.txt + certutil.exe -v -silent -store -enterprise CA > c:\MSLOG\%COMPUTERNAME%\_cert-Intermediate-Enterprise.txt + certutil.exe -v -silent -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Registry.txt + certutil.exe -v -silent -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-GroupPolicy.txt + certutil.exe -v -silent -store -enterprise AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Enterprise.txt + certutil.exe -v -silent -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Registry.txt + certutil.exe -v -silent -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-GroupPolicy.txt + certutil.exe -v -silent -store -enterprise SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Enterprise.txt + certutil.exe -v -silent -store -enterprise NTAUTH > c:\MSLOG\%COMPUTERNAME%\_cert-NtAuth-Enterprise.txt + certutil.exe -v -silent -user -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-User-Personal-Registry.txt + certutil.exe -v -silent -user -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Registry.txt + certutil.exe -v -silent -user -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Enterprise.txt + certutil.exe -v -silent -user -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-Registry.txt + certutil.exe -v -silent -user -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-GroupPolicy.txt + certutil.exe -v -silent -user -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-Registry.txt + certutil.exe -v -silent -user -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-GroupPolicy.txt + certutil.exe -v -silent -user -store Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-Registry.txt + certutil.exe -v -silent -user -store -grouppolicy Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-GroupPolicy.txt + certutil.exe -v -silent -user -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-Registry.txt + certutil.exe -v -silent -user -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-GroupPolicy.txt + certutil.exe -v -silent -user -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-Registry.txt + certutil.exe -v -silent -user -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-GroupPolicy.txt + certutil.exe -v -silent -user -store UserDS > c:\MSLOG\%COMPUTERNAME%\_cert-User-UserDS.txt + ``` + - Wireless LAN client information: + + ``` + netsh wlan show all > c:\MSLOG\%COMPUTERNAME%\_wlan\_show\_all.txt + netsh wlan export profile folder=c:\MSLOG\ + ``` + - Wired LAN Client information + + ``` + netsh lan show all > c:\MSLOG\%COMPUTERNAME%\_lan\_show\_all.txt + netsh lan export profile folder=c:\MSLOG\ + ``` +4. Save the logs stored in C:\MSLOG. + +### On NPS + +1. Create C:\MSLOG to store captured logs. +2. Launch a command prompt as an administrator. +3. Run the following commands. + - Environmental information and Group Policies application status: + + ``` + gpresult /H C:\MSLOG\%COMPUTERNAME%\_gpresult.txt msinfo32 /report c:\MSLOG\%COMPUTERNAME%\_msinfo32.txt - ipconfig /all > c:\MSLOG\%COMPUTERNAME%\_ipconfig.txt - route print > c:\MSLOG\%COMPUTERNAME%\_route\_print.txt ``` + - Event logs: + + ``` + wevtutil epl Application c:\MSLOG\%COMPUTERNAME%\_Application.evtx + wevtutil epl System c:\MSLOG\%COMPUTERNAME%\_System.evtx + wevtutil epl Security c:\MSLOG\%COMPUTERNAME%\_Security.evtx + wevtutil epl Microsoft-Windows-GroupPolicy/Operational c:\MSLOG\%COMPUTERNAME%\_GroupPolicy\_Operational.evtx + wevtutil epl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-CredentialRoaming\_Operational.evtx + wevtutil epl Microsoft-Windows-CertPoleEng/Operational c:\MSLOG\%COMPUTERNAME%\_CertPoleEng\_Operational.evtx + ``` + - Run the following 3 commands on Windows Server 2012 and later: + + ``` + wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-System\_Operational.evtx + wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-User\_Operational.evtx + wevtutil epl Microsoft-Windows-CertificateServices-Deployment/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServices-Deployment\_Operational.evtx + ``` + - Certificates store information + + ``` + certutil.exe -v -silent -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-Personal-Registry.txt + certutil.exe -v -silent -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-Registry.txt + certutil.exe -v -silent -store -grouppolicy ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-GroupPolicy.txt + certutil.exe -v -silent -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_TrustedRootCA-Enterprise.txt + certutil.exe -v -silent -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Reg.txt + certutil.exe -v -silent -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-GroupPolicy.txt + certutil.exe -v -silent -store -enterprise TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Enterprise.txt + certutil.exe -v -silent -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-Registry.txt + certutil.exe -v -silent -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-GroupPolicy.txt + certutil.exe -v -silent -store -enterprise CA > c:\MSLOG\%COMPUTERNAME%\_cert-Intermediate-Enterprise.txt + certutil.exe -v -silent -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Registry.txt + certutil.exe -v -silent -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-GroupPolicy.txt + certutil.exe -v -silent -store -enterprise AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Enterprise.txt + certutil.exe -v -silent -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Registry.txt + certutil.exe -v -silent -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-GroupPolicy.txt + certutil.exe -v -silent -store -enterprise SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Enterprise.txt + certutil.exe -v -silent -store -enterprise NTAUTH > c:\MSLOG\%COMPUTERNAME%\_cert-NtAuth-Enterprise.txt + certutil.exe -v -silent -user -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-User-Personal-Registry.txt + certutil.exe -v -silent -user -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Registry.txt + certutil.exe -v -silent -user -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Enterprise.txt + certutil.exe -v -silent -user -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-Registry.txt + certutil.exe -v -silent -user -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-GroupPolicy.txt + certutil.exe -v -silent -user -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-Registry.txt + certutil.exe -v -silent -user -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-GroupPolicy.txt + certutil.exe -v -silent -user -store Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-Registry.txt + certutil.exe -v -silent -user -store -grouppolicy Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-GroupPolicy.txt + certutil.exe -v -silent -user -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-Registry.txt + certutil.exe -v -silent -user -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-GroupPolicy.txt + certutil.exe -v -silent -user -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-Registry.txt + certutil.exe -v -silent -user -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-GroupPolicy.txt + certutil.exe -v -silent -user -store UserDS > c:\MSLOG\%COMPUTERNAME%\_cert-User-UserDS.txt + ``` + - NPS configuration information: + + ``` + netsh nps show config > C:\MSLOG\%COMPUTERNAME%\_nps\_show\_config.txt + netsh nps export filename=C:\MSLOG\%COMPUTERNAME%\_nps\_export.xml exportPSK=YES + ``` +3. Take the following steps to save an NPS accounting log. + 1. Open **Administrative tools > Network Policy Server**. + 2. On the Network Policy Server administration tool, select **Accounting** in the left pane. + 3. Click **Change Log File Properties**. + 4. On the **Log File** tab, note the log file naming convention shown as **Name** and the log file location shown in **Directory** box. + 5. Copy the log file to C:\MSLOG. -**Event logs** -**Run the following 3 commands on Windows Server 2012 and above:** -```dos -wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-System\_Operational.evtx - -wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-User\_Operational.evtx - -wevtutil epl Microsoft-Windows-CertificateServices-Deployment/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServices-Deployment\_Operational.evtx -``` +4. Save the logs stored in C:\MSLOG. -```dos -wevtutil epl Application c:\MSLOG\%COMPUTERNAME%\_Application.evtx - -wevtutil epl System c:\MSLOG\%COMPUTERNAME%\_System.evtx - -wevtutil epl Security c:\MSLOG\%COMPUTERNAME%\_Security.evtx - -wevtutil epl Microsoft-Windows-GroupPolicy/Operational c:\MSLOG\%COMPUTERNAME%\_GroupPolicy\_Operational.evtx - -wevtutil epl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-CredentialRoaming\_Operational.evtx - -wevtutil epl Microsoft-Windows-CertPoleEng/Operational c:\MSLOG\%COMPUTERNAME%\_CertPoleEng\_Operational.evtx -``` +### Certificate Authority (CA) (OPTIONAL) -**Certificates store information** -```dos -certutil.exe -v -silent -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-Personal-Registry.txt - -certutil.exe -v -silent -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-Registry.txt - -certutil.exe -v -silent -store -grouppolicy ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-GroupPolicy.txt - -certutil.exe -v -silent -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_TrustedRootCA-Enterprise.txt - -certutil.exe -v -silent -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Reg.txt - -certutil.exe -v -silent -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-GroupPolicy.txt - -certutil.exe -v -silent -store -enterprise TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Enterprise.txt - -certutil.exe -v -silent -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-Registry.txt - -certutil.exe -v -silent -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-GroupPolicy.txt - -certutil.exe -v -silent -store -enterprise CA > c:\MSLOG\%COMPUTERNAME%\_cert-Intermediate-Enterprise.txt - -certutil.exe -v -silent -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Registry.txt - -certutil.exe -v -silent -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-GroupPolicy.txt - -certutil.exe -v -silent -store -enterprise AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Enterprise.txt - -certutil.exe -v -silent -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Registry.txt - -certutil.exe -v -silent -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-GroupPolicy.txt - -certutil.exe -v -silent -store -enterprise SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Enterprise.txt - -certutil.exe -v -silent -store -enterprise NTAUTH > c:\MSLOG\%COMPUTERNAME%\_cert-NtAuth-Enterprise.txt - -certutil.exe -v -silent -user -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-User-Personal-Registry.txt - -certutil.exe -v -silent -user -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Registry.txt - -certutil.exe -v -silent -user -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Enterprise.txt - -certutil.exe -v -silent -user -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-Registry.txt - -certutil.exe -v -silent -user -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-GroupPolicy.txt - -certutil.exe -v -silent -user -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-Registry.txt - -certutil.exe -v -silent -user -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-GroupPolicy.txt - -certutil.exe -v -silent -user -store Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-Registry.txt - -certutil.exe -v -silent -user -store -grouppolicy Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-GroupPolicy.txt - -certutil.exe -v -silent -user -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-Registry.txt - -certutil.exe -v -silent -user -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-GroupPolicy.txt - -certutil.exe -v -silent -user -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-Registry.txt - -certutil.exe -v -silent -user -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-GroupPolicy.txt - -certutil.exe -v -silent -user -store UserDS > c:\MSLOG\%COMPUTERNAME%\_cert-User-UserDS.txt -``` - -**NPS configuration information** -```dos -netsh nps show config > C:\MSLOG\%COMPUTERNAME%\_nps\_show\_config.txt - -netsh nps export filename=C:\MSLOG\%COMPUTERNAME%\_nps\_export.xml exportPSK=YES -``` - -3. Take the following steps to save an NPS accounting log: -4. Launch **Administrative tools** - **Network Policy Server**. - - On the Network Policy Server administration tool, select **Accounting** in the left pane. - - Click **Change Log File Properties** in the right pane. - - Click the **Log File** tab, note the log file naming convention shown as *Name* and the log file location shown in the **Directory** box. - - Copy the log file to C:\MSLOG. - - Save the logs stored in C:\MSLOG. - - -**Certificate Authority (CA)** *Optional* - -1. On a CA, launch a command prompt as an administrator. -2. Create C:\MSLOG to store captured logs. -3. Run the following commands: - -Environmental information and Group Policies application status - -```dos -gpresult /H C:\MSLOG\%COMPUTERNAME%\_gpresult.txt - -msinfo32 /report c:\MSLOG\%COMPUTERNAME%\_msinfo32.txt - -ipconfig /all > c:\MSLOG\%COMPUTERNAME%\_ipconfig.txt - -route print > c:\MSLOG\%COMPUTERNAME%\_route\_print.txt -``` - -**Event logs** - -**Run the following 3 lines on Windows 2012 and up:** - -```dos -wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-System\_Operational.evtx - -wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-User\_Operational.evtx - -wevtutil epl Microsoft-Windows-CertificateServices-Deployment/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServices-Deployment\_Operational.evtx -``` - -```dos -wevtutil epl Application c:\MSLOG\%COMPUTERNAME%\_Application.evtx - -wevtutil epl System c:\MSLOG\%COMPUTERNAME%\_System.evtx - -wevtutil epl Security c:\MSLOG\%COMPUTERNAME%\_Security.evtx - -wevtutil epl Microsoft-Windows-GroupPolicy/Operational c:\MSLOG\%COMPUTERNAME%\_GroupPolicy\_Operational.evtx - -wevtutil epl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-CredentialRoaming\_Operational.evtx - -wevtutil epl Microsoft-Windows-CertPoleEng/Operational c:\MSLOG\%COMPUTERNAME%\_CertPoleEng\_Operational.evtx -``` - -**Certificates store information** - -```dos -certutil.exe -v -silent -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-Personal-Registry.txt - -certutil.exe -v -silent -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-Registry.txt - -certutil.exe -v -silent -store -grouppolicy ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-GroupPolicy.txt - -certutil.exe -v -silent -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_TrustedRootCA-Enterprise.txt - -certutil.exe -v -silent -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Reg.txt - -certutil.exe -v -silent -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-GroupPolicy.txt - -certutil.exe -v -silent -store -enterprise TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Enterprise.txt - -certutil.exe -v -silent -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-Registry.txt - -certutil.exe -v -silent -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-GroupPolicy.txt - -certutil.exe -v -silent -store -enterprise CA > c:\MSLOG\%COMPUTERNAME%\_cert-Intermediate-Enterprise.txt - -certutil.exe -v -silent -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Registry.txt - -certutil.exe -v -silent -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-GroupPolicy.txt - -certutil.exe -v -silent -store -enterprise AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Enterprise.txt - -certutil.exe -v -silent -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Registry.txt - -certutil.exe -v -silent -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-GroupPolicy.txt - -certutil.exe -v -silent -store -enterprise SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Enterprise.txt - -certutil.exe -v -silent -store -enterprise NTAUTH > c:\MSLOG\%COMPUTERNAME%\_cert-NtAuth-Enterprise.txt - -certutil.exe -v -silent -user -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-User-Personal-Registry.txt - -certutil.exe -v -silent -user -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Registry.txt - -certutil.exe -v -silent -user -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Enterprise.txt - -certutil.exe -v -silent -user -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-Registry.txt - -certutil.exe -v -silent -user -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-GroupPolicy.txt - -certutil.exe -v -silent -user -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-Registry.txt - -certutil.exe -v -silent -user -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-GroupPolicy.txt - -certutil.exe -v -silent -user -store Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-Registry.txt - -certutil.exe -v -silent -user -store -grouppolicy Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-GroupPolicy.txt - -certutil.exe -v -silent -user -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-Registry.txt - -certutil.exe -v -silent -user -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-GroupPolicy.txt - -certutil.exe -v -silent -user -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-Registry.txt - -certutil.exe -v -silent -user -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-GroupPolicy.txt - -certutil.exe -v -silent -user -store UserDS > c:\MSLOG\%COMPUTERNAME%\_cert-User-UserDS.txt -``` - -**CA configuration information** -```dos -reg save HKLM\System\CurrentControlSet\Services\CertSvc c:\MSLOG\%COMPUTERNAME%\_CertSvc.hiv - -reg export HKLM\System\CurrentControlSet\Services\CertSvc c:\MSLOG\%COMPUTERNAME%\_CertSvc.txt - -reg save HKLM\SOFTWARE\Microsoft\Cryptography c:\MSLOG\%COMPUTERNAME%\_Cryptography.hiv - -reg export HKLM\SOFTWARE\Microsoft\Cryptography c:\MSLOG\%COMPUTERNAME%\_Cryptography.tx -``` - -4. Copy the following files, if exist, to C:\MSLOG. %windir%\CAPolicy.inf -5. Log on to a domain controller and create C:\MSLOG to store captured logs. -6. Launch Windows PowerShell as an administrator. -7. Run the following PowerShell commandlets - - \* Replace the domain name in ";.. ,DC=test,DC=local"; with appropriate domain name. The example shows commands for ";test.local"; domain. -```powershell -Import-Module ActiveDirectory - -Get-ADObject -SearchBase ";CN=Public Key Services,CN=Services,CN=Configuration,DC=test,DC=local"; -Filter \* -Properties \* | fl \* > C:\MSLOG\Get-ADObject\_$Env:COMPUTERNAME.txt -``` -8. Save the following logs: -- All files in C:\MSLOG on the CA -- All files in C:\MSLOG on the domain controller +1. On a CA, launch a command prompt as an administrator. Create C:\MSLOG to store captured logs. +2. Run the following commands. + - Environmental information and Group Policies application status + + ``` + gpresult /H C:\MSLOG\%COMPUTERNAME%\_gpresult.txt + msinfo32 /report c:\MSLOG\%COMPUTERNAME%\_msinfo32.txt + ipconfig /all > c:\MSLOG\%COMPUTERNAME%\_ipconfig.txt + route print > c:\MSLOG\%COMPUTERNAME%\_route\_print.txt + ``` + - Event logs + + ``` + wevtutil epl Application c:\MSLOG\%COMPUTERNAME%\_Application.evtx + wevtutil epl System c:\MSLOG\%COMPUTERNAME%\_System.evtx + wevtutil epl Security c:\MSLOG\%COMPUTERNAME%\_Security.evtx + wevtutil epl Microsoft-Windows-GroupPolicy/Operational c:\MSLOG\%COMPUTERNAME%\_GroupPolicy\_Operational.evtx + wevtutil epl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-CredentialRoaming\_Operational.evtx + wevtutil epl Microsoft-Windows-CertPoleEng/Operational c:\MSLOG\%COMPUTERNAME%\_CertPoleEng\_Operational.evtx + ``` + - Run the following 3 lines on Windows 2012 and up + + ``` + wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-System\_Operational.evtx + wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-User\_Operational.evtx + wevtutil epl Microsoft-Windows-CertificateServices-Deployment/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServices-Deployment\_Operational.evtx + ``` + - Certificates store information + + ``` + certutil.exe -v -silent -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-Personal-Registry.txt + certutil.exe -v -silent -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-Registry.txt + certutil.exe -v -silent -store -grouppolicy ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-GroupPolicy.txt + certutil.exe -v -silent -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_TrustedRootCA-Enterprise.txt + certutil.exe -v -silent -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Reg.txt + certutil.exe -v -silent -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-GroupPolicy.txt + certutil.exe -v -silent -store -enterprise TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Enterprise.txt + certutil.exe -v -silent -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-Registry.txt + certutil.exe -v -silent -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-GroupPolicy.txt + certutil.exe -v -silent -store -enterprise CA > c:\MSLOG\%COMPUTERNAME%\_cert-Intermediate-Enterprise.txt + certutil.exe -v -silent -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Registry.txt + certutil.exe -v -silent -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-GroupPolicy.txt + certutil.exe -v -silent -store -enterprise AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Enterprise.txt + certutil.exe -v -silent -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Registry.txt + certutil.exe -v -silent -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-GroupPolicy.txt + certutil.exe -v -silent -store -enterprise SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Enterprise.txt + certutil.exe -v -silent -store -enterprise NTAUTH > c:\MSLOG\%COMPUTERNAME%\_cert-NtAuth-Enterprise.txt + certutil.exe -v -silent -user -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-User-Personal-Registry.txt + certutil.exe -v -silent -user -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Registry.txt + certutil.exe -v -silent -user -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Enterprise.txt + certutil.exe -v -silent -user -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-Registry.txt + certutil.exe -v -silent -user -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-GroupPolicy.txt + certutil.exe -v -silent -user -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-Registry.txt + certutil.exe -v -silent -user -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-GroupPolicy.txt + certutil.exe -v -silent -user -store Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-Registry.txt + certutil.exe -v -silent -user -store -grouppolicy Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-GroupPolicy.txt + certutil.exe -v -silent -user -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-Registry.txt + certutil.exe -v -silent -user -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-GroupPolicy.txt + certutil.exe -v -silent -user -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-Registry.txt + certutil.exe -v -silent -user -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-GroupPolicy.txt + certutil.exe -v -silent -user -store UserDS > c:\MSLOG\%COMPUTERNAME%\_cert-User-UserDS.txt + ``` + - CA configuration information + + ``` + reg save HKLM\System\CurrentControlSet\Services\CertSvc c:\MSLOG\%COMPUTERNAME%\_CertSvc.hiv + reg export HKLM\System\CurrentControlSet\Services\CertSvc c:\MSLOG\%COMPUTERNAME%\_CertSvc.txt + reg save HKLM\SOFTWARE\Microsoft\Cryptography c:\MSLOG\%COMPUTERNAME%\_Cryptography.hiv + reg export HKLM\SOFTWARE\Microsoft\Cryptography c:\MSLOG\%COMPUTERNAME%\_Cryptography.tx + ``` +3. Copy the following files, if exist, to C:\MSLOG: %windir%\CAPolicy.inf +4. Log on to a domain controller and create C:\MSLOG to store captured logs. +5. Launch Windows PowerShell as an administrator. +6. Run the following PowerShell cmdlets. Replace the domain name in ";.. ,DC=test,DC=local"; with appropriate domain name. The example shows commands for ";test.local"; domain. + + ```powershell + Import-Module ActiveDirectory + Get-ADObject -SearchBase ";CN=Public Key Services,CN=Services,CN=Configuration,DC=test,DC=local"; -Filter \* -Properties \* | fl \* > C:\MSLOG\Get-ADObject\_$Env:COMPUTERNAME.txt + ``` +7. Save the following logs. + - All files in C:\MSLOG on the CA + - All files in C:\MSLOG on the domain controller diff --git a/windows/client-management/images/boot-sequence-thumb.png b/windows/client-management/images/boot-sequence-thumb.png new file mode 100644 index 0000000000..164f9f9848 Binary files /dev/null and b/windows/client-management/images/boot-sequence-thumb.png differ diff --git a/windows/client-management/images/boot-sequence.png b/windows/client-management/images/boot-sequence.png new file mode 100644 index 0000000000..31e6dc34c9 Binary files /dev/null and b/windows/client-management/images/boot-sequence.png differ diff --git a/windows/client-management/img-boot-sequence.md b/windows/client-management/img-boot-sequence.md new file mode 100644 index 0000000000..ca385d841a --- /dev/null +++ b/windows/client-management/img-boot-sequence.md @@ -0,0 +1,11 @@ +--- +description: A full-sized view of the boot sequence flowchart. +title: Boot sequence flowchart +ms.date: 11/16/2018 +--- + +Return to: [Advanced troubleshooting for Windows boot problems](advanced-troubleshooting-boot-problems.md)
+ + +![Full-sized boot sequence flowchart](images/boot-sequence.png) + diff --git a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md index b1d8ac001f..8cc949f6b9 100644 --- a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md +++ b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md @@ -400,7 +400,7 @@ Location: Example: HTTP/1.1 302 -Location: ms-appx-web://App1/ToUResponse?error=access_denied&error_description=Acess%20is%20denied%2E +Location: ms-appx-web://App1/ToUResponse?error=access_denied&error_description=Access%20is%20denied%2E ``` The following table shows the error codes. diff --git a/windows/client-management/mdm/diagnosticlog-ddf.md b/windows/client-management/mdm/diagnosticlog-ddf.md index 4fb7edff7c..97ae506323 100644 --- a/windows/client-management/mdm/diagnosticlog-ddf.md +++ b/windows/client-management/mdm/diagnosticlog-ddf.md @@ -25,7 +25,7 @@ The content below are the latest versions of the DDF files: ## DiagnosticLog CSP version 1.2 -``` syntax +```xml 4 - This node is used for setting or getting the block size (in Kilobytes) for the download of assoicated log file. The value range is 1~16. Default value is 4. + This node is used for setting or getting the block size (in Kilobytes) for the download of associated log file. The value range is 1~16. Default value is 4. @@ -634,7 +634,7 @@ The content below are the latest versions of the DDF files: ## DiagnosticLog CSP version 1.3 -``` syntax +```xml 4 - This node is used for setting or getting the block size (in Kilobytes) for the download of assoicated log file. The value range is 1~16. Default value is 4. + This node is used for setting or getting the block size (in Kilobytes) for the download of associated log file. The value range is 1~16. Default value is 4. diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 7a2feeca63..cf0794e951 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -1255,7 +1255,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
  • WindowsDefenderSecurityCenter/HideSecureBoot
  • WindowsDefenderSecurityCenter/HideTPMTroubleshooting
    • -

    Security/RequireDeviceEncrption - updated to show it is supported in desktop.

    +

    Security/RequireDeviceEncryption - updated to show it is supported in desktop.

    [BitLocker CSP](bitlocker-csp.md) @@ -2335,7 +2335,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
  • Settings/AllowOnlineTips
  • System/DisableEnterpriseAuthProxy
    • -

    Security/RequireDeviceEncrption - updated to show it is supported in desktop.

    +

    Security/RequireDeviceEncryption - updated to show it is supported in desktop.

    [BitLocker CSP](bitlocker-csp.md) diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md index 121570bcf5..94c886672a 100644 --- a/windows/client-management/mdm/policy-csp-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md @@ -86,6 +86,7 @@ If you enable this policy setting, Windows is allowed to install or update any d If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed. + > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md index 99ad8fd29e..51f9efc4a5 100644 --- a/windows/client-management/mdm/policy-csp-power.md +++ b/windows/client-management/mdm/policy-csp-power.md @@ -664,7 +664,7 @@ If you enable this policy setting, you must provide a value, in seconds, indicat If you disable or do not configure this policy setting, users control this setting. -If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. +If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. > [!TIP] diff --git a/windows/client-management/troubleshoot-windows-freeze.md b/windows/client-management/troubleshoot-windows-freeze.md new file mode 100644 index 0000000000..5abfc5b2a9 --- /dev/null +++ b/windows/client-management/troubleshoot-windows-freeze.md @@ -0,0 +1,287 @@ +--- +title: Advanced troubleshooting for Windows-based computer freeze issues +description: Learn how to troubleshoot computer freeze issues. +ms.prod: w10 +ms.mktglfcycl: +ms.sitesec: library +ms.topic: troubleshooting +author: kaushika-msft +ms.localizationpriority: medium +ms.author: elizapo +ms.date: 11/26/2018 +--- + +# Advanced troubleshooting for Windows-based computer freeze issues + +This article describes how to troubleshoot freeze issues on Windows-based computers and servers. It also provides methods for collecting data that will help administrators or software developers diagnose, identify, and fix these issues. + +> [!Note] +> The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products. + +## Identify the problem + +* Which computer is freezing? (Example: The impacted computer is a physical server, virtual server, and so on.) +* What operation was being performed when the freezes occurred? (Example: This issue occurs when you shut down GUI, perform one or more operations, and so on.) +* How often do the errors occur? (Example: This issue occurs every night at 7 PM, every day around 7 AM, and so on.) +* On how many computers does this occur? (Example: All computers, only one computer, 10 computers, and so on.) + +## Troubleshoot the freeze issues + +To troubleshoot the freeze issues, check the current status of your computer, and follow one of the following methods. + +### For the computer that's still running in a frozen state + +If the physical computer or the virtual machine is still freezing, use one or more of the following methods for troubleshooting: + +* Try to access the computer through Remote Desktop, Citrix, and so on. +* Use the domain account or local administrator account to log on the computer by using one of the Remote Physical Console Access features, such as Dell Remote Access Card (DRAC), HP Integrated Lights-Out (iLo), or IBM Remote supervisor adapter (RSA). +* Test ping to the computer. Packet dropping and high network latency may be observed. +* Access administrative shares (\\\\**ServerName**\\c$). +* Press Ctrl + Alt + Delete command and check response. +* Try to use Remote Admin tools such as Computer Management, remote Server Manager, and Wmimgmt.msc. + +### For the computer that is no longer frozen + +If the physical computer or virtual machine froze but is now running in a good state, use one or more of the following methods for troubleshooting. + +#### For a physical computer + +* Review the System and Application logs from the computer that is having the issue. Check the event logs for the relevant Event ID: + + - Application event log : Application Error (suggesting Crash or relevant System Process) + - System Event logs, Service Control Manager Error event IDs for Critical System Services + - Error Event IDs 2019/2020 with source Srv/Server + +* Generate a System Diagnostics report by running the perfmon /report command. + +#### For a virtual machine + +* Review the System and Application logs from the computer that is having the issue. +* Generate a System Diagnostics report by running the perfmon /report command. +* Check history in virtual management monitoring tools. + +## More Information + +### Collect data for the freeze issues + +To collect data for a server freeze, check the following table, and use one or more of the suggested methods. + +|Computer type and state |Data collection method | +|-------------------------|--------------------| +|A physical computer that's running in a frozen state|[Use a memory dump file to collect data](#use-memory-dump-to-collect-data-for-the-physical-computer-thats-running-in-a-frozen-state). Or use method 2, 3, or 4. These methods are listed later in this section.| +|A physical computer that is no longer frozen|Use method 1, 2, 3, or 4. These methods are listed later in this section. And [use Pool Monitor to collect data](#use-pool-monitor-to-collect-data-for-the-physical-computer-that-is-no-longer-frozen).| +|A virtual machine that's running in a frozen state|Hyper-V or VMware: [Use a memory dump file to collect data for the virtual machine that's running in a frozen state](#use-memory-dump-to-collect-data-for-the-virtual-machine-thats-running-in-a-frozen-state).
    XenServer: Use method 1, 2, 3, or 4. These methods are listed later in this section.| +|A virtual machine that is no longer frozen|Use method 1, 2, 3, or 4. These methods are listed later in this section.| + + +#### Method 1: Memory dump + +> [!Note] +> Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, [back up the registry for restoration](https://support.microsoft.com/help/322756) in case problems occur. + +A complete memory dump file records all the contents of system memory when the computer stops unexpectedly. A complete memory dump file may contain data from processes that were running when the memory dump file was collected. + +If the computer is no longer frozen and now is running in a good state, use the following steps to enable memory dump so that you can collect memory dump when the freeze issue occurs again. If the virtual machine is still running in a frozen state, use the following steps to enable and collect memory dump. + +> [!Note] +> If you have a restart feature that is enabled on the computer, such as the Automatic System Restart (ASR) feature in Compaq computers, disable it. This setting is usually found in the BIOS. With this feature enabled, if the BIOS doesn't detect a heartbeat from the operating system, it will restart the computer. The restart can interrupt the dump process. + + +1. Make sure that the computer is set up to get a complete memory dump file. To do this, follow these steps: + + 1. Go to **Run** and enter `Sysdm.cpl`, and then press enter. + + 2. In **System Properties**, on the **Advanced** tab, select **Performance** \> **Settings** \> **Advanced**, and then check or change the virtual memory by clicking **Change**. + + 2. Go back to **System Properties** \> **Advanced** \> **Settings** in **Startup and Recovery**. + + 3. In the **Write Debugging Information** section, select **Complete Memory Dump**. + + > [!Note] + > For Windows versions that are earlier than Windows 8 or Windows Server 2012, the Complete Memory Dump type isn't available in the GUI. You have to change it in Registry Editor. To do this, change the value of the following **CrashDumpEnabled** registry entry to **1** (REG_DWORD): + >**HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\CrashDumpEnabled** + + 4. Select **Overwrite any existing file**. + + 5. Make sure that there's a paging file (pagefile.sys) on the system drive and that it’s at least 100 megabytes (MB) over the installed RAM (Initial and Maximum Size). + + Additionally, you can use the workaround for [space limitations on the system drive in Windows Server 2008](#space-limitations-on-the-system-drive-in-windows-server-2008). + + 6. Make sure that there's more freed-up space on the hard disk drives than there is physical RAM. + +2. Enable the CrashOnCtrlScroll registry value to allow the system to generate a dump file by using the keyboard. To do this, follow these steps: + + 1. Go to Registry Editor, and then locate the following registry keys: + + * `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters` + + * `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdhid\Parameters` + + 2. Create the following CrashOnCtrlScroll registry entry in the two registry keys: + + - **Value Name**: `CrashOnCtrlScroll` + - **Data Type**: `REG_DWORD` + - **Value**: `1` + + 3. Exit Registry Editor. + + 4. Restart the computer. + +3. On some physical computers, you may generate a nonmakeable interruption (NMI) from the Web Interface feature (such as DRAC, iLo, and RSA). However, by default, this setting will stop the system without creating a memory dump. + + To allow the operating system to generate a memory dump file at an NMI interruption, set the value of the [NMICrashDump](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc783271(v=ws.10)) registry entry to `1` (REG_DWORD). Then, restart the computer to apply this change. + + > [!Note] + > This is applicable only for Windows 7, Windows Server 2008 R2, and earlier versions of Windows. For Windows 8 Windows Server 2012, and later versions of Windows, the NMICrashDump registry key is no longer required, and an NMI interruption will result in [a Stop error that follows a memory dump data collection](https://support.microsoft.com/help/2750146). + +4. When the computer exhibits the problem, hold down the right **Ctrl** key, and press the **Scroll Lock** key two times to generate a memory dump file. + + > [!Note] + > By default, the dump file is located in the following path:
    + > %SystemRoot%\MEMORY.DMP + + +#### Method 2: Data sanity check + +Use the Dump Check Utility (Dumpchk.exe) to read a memory dump file or verify that the file was created correctly. You can use the Microsoft DumpChk (Crash Dump File Checker) tool to verify that the memory dump files are not corrupted or invalid. + +- [Using DumpChk]( https://docs.microsoft.com/windows-hardware/drivers/debugger/dumpchk) +- [Download DumpCheck](https://developer.microsoft.com/windows/downloads/windows-10-sdk) + +Learn how to use Dumpchk.exe to check your dump files: + +> [!video https://www.youtube-nocookie.com/embed/xN7tOfgNKag] + + +#### Method 3: Performance Monitor + +You can use Windows Performance Monitor to examine how programs that you run affect your computer's performance, both in real time and by collecting log data for later analysis. To create performance counter and event trace log collections on local and remote systems, run the following commands in a command prompt as administrator: + +```cmd +Logman create counter LOGNAME_Long -u DOMAIN\USERNAME * -f bincirc -v mmddhhmm -max 500 -c "\\COMPUTERNAME\LogicalDisk(*)\*" "\\COMPUTERNAME\Memory\*" "\\COMPUTERNAME\Network Interface(*)\*" "\\COMPUTERNAME\Paging File(*)\*" "\\COMPUTERNAME\PhysicalDisk(*)\*" "\\COMPUTERNAME\Process(*)\*" "\\COMPUTERNAME\Redirector\*" "\\COMPUTERNAME\Server\*" "\\COMPUTERNAME\System\*" "\\COMPUTERNAME\Terminal Services\*" "\\COMPUTERNAME\Processor(*)\*" "\\COMPUTERNAME\Cache\*" -si 00:05:00 +``` + +```cmd +Logman create counter LOGNAME_Short -u DOMAIN\USERNAME * -f bincirc -v mmddhhmm -max 500 -c "\\COMPUTERNAME\LogicalDisk(*)\*" "\\COMPUTERNAME\Memory\*" "\\COMPUTERNAME\Network Interface(*)\*" "\\COMPUTERNAME\Paging File(*)\*" "\\COMPUTERNAME\PhysicalDisk(*)\*" "\\COMPUTERNAME\Process(*)\*" "\\COMPUTERNAME\Redirector\*" "\\COMPUTERNAME\Server\*" "\\COMPUTERNAME\System\*" "\\COMPUTERNAME\Terminal Services\*" "\\COMPUTERNAME\Processor(*)\*" "\\COMPUTERNAME\Cache\*" -si 00:00:10 +``` + +Then, you can start or stop the log by running the following commands: + +```cmd +logman start LOGNAME_Long / LOGNAME_Short +logman stop LOGNAME_Long / LOGNAME_Short +``` + +The Performance Monitor log is located in the path: C:\PERFLOGS + +#### Method 4: Microsoft Support Diagnostics + +1. In the search box of the [Microsoft Support Diagnostics Self-Help Portal](https://home.diagnostics.support.microsoft.com/selfhelp), type Windows Performance Diagnostic. + +2. In the search results, select **Windows Performance Diagnostic**, and then click **Create**. + +3. Follow the steps of the diagnostic. + + +### Additional methods to collect data + +#### Use memory dump to collect data for the physical computer that's running in a frozen state + +> [!Warning] +> Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, [back up the registry for restoration](https://support.microsoft.com/help/322756) in case problems occur. + +If the physical computer is still running in a frozen state, follow these steps to enable and collect memory dump: + + +1. Make sure that the computer is set up to get a complete memory dump file and that you can access it through the network. To do this, follow these steps: + > [!Note] + > If it isn't possible to access the affected computer through the network, try to generate a memory dump file through NMI interruption. The result of the action may not collect a memory dump file if some of the following settings aren't qualified. + + 1. Try to access the desktop of the computer by any means. + + > [!Note] + > In case accessing the operating system isn't possible, try to access Registry Editor on the computer remotely in order to check the type of memory dump file and page file with which the computer is currently configured. + + 2. From a remote computer that is preferably in the same network and subnet, go to **Registry Editor** \> **Connect Network Registry**. Then, connect to the concerned computer, and verify the following settings: + + * ` `*HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\CrashDumpEnabled` + + Make sure that the [CrashDumpEnabled](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-2000-server/cc976050(v=technet.10)) registry entry is `1`. + + * `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\NMICrashDump` + + On some physical servers, if the NMICrashDump registry entry exists and its value is `1`, you may take advantage of the NMI from the remote management capabilities (such as DRAC, iLo, and RSA). + + * `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PagingFiles and ExistingPageFiles` + + If the value of the **Pagefile** registry entry is system managed, the size won't be reflected in the registry (Example value: ?:\pagefile.sys). + + If the page file is customized, the size will be reflected in the registry, such as ‘?:\pagefile.sys 1024 1124’ where 1024 is the initial size and 1124 is the max size. + + > [!Note] + > If the size isn't reflected in the Registry, try to access an Administrative share where the page file is located (such as \\\\**ServerName**\C$). + + 3. Make sure that there's a paging file (pagefile.sys) on the system drive of the computer, and it's at least 100 MB over the installed RAM. + + 4. Make sure that there's more free space on the hard disk drives of the computer than there is physical RAM. + +2. Enable the **CrashOnCtrlScroll** registry value on the computer to allow the system to generate a dump file by using the keyboard. To do this, follow these steps: + + 1. From a remote computer preferably in the same network and subnet, go to Registry Editor \> Connect Network Registry. Connect to the concerned computer and locate the following registry keys: + + * `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters` + + * `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdhid\Parameters` + + 2. Create the following CrashOnCtrlScroll registry entry in the two registry keys: + + **Value Name**: `CrashOnCtrlScroll` + **Data Type**: `REG_DWORD` + **Value**: `1` + + 3. Exit Registry Editor. + + 4. Restart the computer. + +3. When the computer exhibits the problem, hold down the right **CTRL** key, and press the **Scroll Lock** key two times to generate a memory dump. + > [!Note] + > By default, the dump file is located in the path: %SystemRoot%\MEMORY.DMP + +#### Use Pool Monitor to collect data for the physical computer that is no longer frozen + +Pool Monitor shows you the number of allocations and outstanding bytes of allocation by type of pool and the tag that is passed into calls of ExAllocatePoolWithTag. + +Learn [how to use Pool Monitor](https://support.microsoft.com/help/177415) and how to [use the data to troubleshoot pool leaks](http://blogs.technet.com/b/markrussinovich/archive/2009/03/26/3211216.aspx). + +#### Use memory dump to collect data for the virtual machine that's running in a frozen state + +Use the one of the following methods for the application on which the virtual machine is running. + +##### Microsoft Hyper-V + +If the virtual machine is running Windows 8, Windows Server 2012, or a later version of Windows on Microsoft Hyper-V Server 2012, you can use the built-in NMI feature through a [Debug-VM](https://docs.microsoft.com/previous-versions/windows/powershell-scripting/dn464280(v=wps.630)) cmdlet to debug and get a memory dump. + +To debug the virtual machines on Hyper-V, run the following cmdlet in Windows PowerShell: + +```powershell +Debug-VM -Name "VM Name" -InjectNonMaskableInterrupt -ComputerName Hostname +``` + +> [!Note] +> This method is applicable only to Windows 8, Windows Server 2012, and later versions of Windows virtual machines. For the earlier versions of Windows, see methods 1 through 4 that are described earlier in this section. + +##### VMware + +You can use VMware Snapshots or suspend state and extract a memory dump file equivalent to a complete memory dump file. By using [Checkpoint To Core Tool (vmss2core)](https://labs.vmware.com/flings/vmss2core), you can convert both suspend (.vmss) and snapshot (.vmsn) state files to a dump file and then analyze the file by using the standard Windows debugging tools. + +##### Citrix XenServer + +The memory dump process occurs by pressing the RIGHT CTRL + SCROLL LOCK + SCROLL LOCK keyboard combination that's described in Method 1 and on [the Citrix site](http://support.citrix.com/article/ctx123177). + +## Space limitations on the system drive in Windows Server 2008 + +On Windows Server 2008, you may not have enough free disk space to generate a complete memory dump file on the system volume. There's a [hotfix](https://support.microsoft.com/help/957517) that allows for the data collection even though there isn't sufficient space on the system drive to store the memory dump file. + +Additionally, on Windows Server 2008 Service Pack (SP2), there's a second option if the system drive doesn't have sufficient space. Namely, you can use the DedicatedDumpFile registry entry. To learn how to use the registry entry, see [New behavior in Windows Vista and Windows Server 2008](https://support.microsoft.com/help/969028). + +For more information, see [How to use the DedicatedDumpFile registry value to overcome space limitations on the system drive](http://blogs.msdn.com/b/ntdebugging/archive/2010/04/02/how-to-use-the-dedicateddumpfile-registry-value-to-overcome-space-limitations-on-the-system-drive-when-capturing-a-system-memory-dump.aspx). \ No newline at end of file diff --git a/windows/client-management/windows-10-support-solutions.md b/windows/client-management/windows-10-support-solutions.md index c212eae7d8..d540b098dd 100644 --- a/windows/client-management/windows-10-support-solutions.md +++ b/windows/client-management/windows-10-support-solutions.md @@ -7,45 +7,54 @@ ms.sitesec: library ms.author: elizapo author: kaushika-msft ms.localizationpriority: medium -ms.date: 11/08/2017 +ms.date: 11/08/2018 --- # Top support solutions for Windows 10 Microsoft regularly releases both updates and solutions for Windows 10. To ensure your computers can receive future updates, including security updates, it's important to keep them updated. Check out the following links for a complete list of released updates: -- [Windows 10 Version 1703 update history](https://support.microsoft.com/help/4018124/) -- [Windows 10 Version 1607 update history](https://support.microsoft.com/help/4000825/) -- [Windows 10 Version 1511 update history](https://support.microsoft.com/help/4000824/) +- [Windows 10 version 1803 update history](https://support.microsoft.com/help/4099479) +- [Windows 10 version 1709 update history](https://support.microsoft.com/help/4043454) +- [Windows 10 Version 1703 update history](https://support.microsoft.com/help/4018124) +- [Windows 10 Version 1607 update history](https://support.microsoft.com/help/4000825) +- [Windows 10 Version 1511 update history](https://support.microsoft.com/help/4000824) These are the top Microsoft Support solutions for the most common issues experienced when using Windows 10 in an enterprise or IT pro environment. The links below include links to KB articles, updates, and library articles. -## Solutions related to installing Windows updates or hotfixes -- [Understanding the Windowsupdate.log file for advanced users](https://support.microsoft.com/help/4035760/understanding-the-windowsupdate-log-file-for-advanced-users) -- [You can't install updates on a Windows-based computer](https://support.microsoft.com/help/2509997/you-can-t-install-updates-on-a-windows-based-computer) -- [Get-WindowsUpdateLog](https://technet.microsoft.com/itpro/powershell/windows/windowsupdate/get-windowsupdatelog) -- [How to read the Windowsupdate.log file](https://support.microsoft.com/help/902093/how-to-read-the-windowsupdate-log-file) -- [Can't download updates from Windows Update from behind a firewall or proxy server](https://support.microsoft.com/help/3084568/can-t-download-updates-from-windows-update-from-behind-a-firewall-or-p) -- [Computer staged from a SysPrepped image doesn't receive WSUS updates](https://support.microsoft.com/help/4010909/computer-staged-from-a-sysprepped-image-doesn-t-receive-wsus-updates) -- [Servicing stack update for Windows 10 Version 1703: June 13, 2017](https://support.microsoft.com/help/4022405/servicingstackupdateforwindows10version1703june13-2017) -- [Servicing stack update for Windows 10 Version 1607 and Windows Server 2016: March 14, 2017](https://support.microsoft.com/help/4013418/servicing-stack-update-for-windows-10-version-1607-and-windows-server) +## Solutions related to installing Windows Updates +- [How does Windows Update work](https://docs.microsoft.com/en-us/windows/deployment/update/how-windows-update-works) +- [Windows Update log files](https://docs.microsoft.com/en-us/windows/deployment/update/windows-update-logs) +- [Windows Update troubleshooting](https://docs.microsoft.com/en-us/windows/deployment/update/windows-update-troubleshooting) +- [Windows Update common errors and mitigation](https://docs.microsoft.com/en-us/windows/deployment/update/windows-update-errors) +- [Windows Update - additional resources](https://docs.microsoft.com/en-us/windows/deployment/update/windows-update-resources) + +## Solutions related to installing or upgrading Windows + +- [Quick Fixes](https://docs.microsoft.com/en-us/windows/deployment/upgrade/quick-fixes) +- [Troubleshooting upgrade errors](https://docs.microsoft.com/en-us/windows/deployment/upgrade/troubleshoot-upgrade-errors) +- [Resolution procedures](https://docs.microsoft.com/en-us/windows/deployment/upgrade/resolution-procedures) +- ["0xc1800118" error when you push Windows 10 Version 1607 by using WSUS](https://support.microsoft.com/en-in/help/3194588/0xc1800118-error-when-you-push-windows-10-version-1607-by-using-wsus) +- [0xC1900101 error when Windows 10 upgrade fails after the second system restart](https://support.microsoft.com/en-in/help/3208485/0xc1900101-error-when-windows-10-upgrade-fails-after-the-second-system) + +## Solutions related to BitLocker + +- [BitLocker recovery guide](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan) +- [BitLocker: How to enable Network Unlock](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock) +- [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker) +- [BitLocker Group Policy settings](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings) ## Solutions related to Bugchecks or Stop Errors - [Troubleshooting Stop error problems for IT Pros](https://support.microsoft.com/help/3106831/troubleshooting-stop-error-problems-for-it-pros) - [How to use Windows Recovery Environment (WinRE) to troubleshoot common startup issues](https://support.microsoft.com/help/4026030/how-to-use-windows-recovery-environment-winre-to-troubleshoot-common-s) - [How to troubleshoot Windows-based computer freeze issues](https://support.microsoft.com/help/3118553/how-to-troubleshoot-windows-based-computer-freeze-issues) -- [Understanding Bugchecks](https://blogs.technet.microsoft.com/askperf/2007/12/18/understanding-bugchecks/) -- [Understanding Crash Dump Files](https://blogs.technet.microsoft.com/askperf/2008/01/08/understanding-crash-dump-files/) +- [Introduction of page file in Long-Term Servicing Channel and Semi-Annual Channel of Windows](https://support.microsoft.com/help/4133658) + + +## Solutions related to Windows Boot issues +- [Troubleshooting Windows boot problems for IT Pros](https://support.microsoft.com/help/4343769) +- [How to use Windows Recovery Environment (WinRE) to troubleshoot common startup issues](https://support.microsoft.com/help/4026030/how-to-use-windows-recovery-environment-winre-to-troubleshoot-common-s) -## Solutions related to installing or upgrading Windows -- [Resolve Windows 10 upgrade errors : Technical information for IT Pros](/windows/deployment/upgrade/resolve-windows-10-upgrade-errors) -- [Windows OOBE fails when you start a new Windows-based computer for the first time](https://support.microsoft.com/help/4020048/windows-oobe-fails-when-you-start-a-new-windows-based-computer-for-the) -- ["0xc1800118" error when you push Windows 10 Version 1607 by using WSUS](https://support.microsoft.com/help/3194588/-0xc1800118-error-when-you-push-windows-10-version-1607-by-using-wsus) -- [0xC1900101 error when Windows 10 upgrade fails after the second system restart](https://support.microsoft.com/help/3208485/0xc1900101-error-when-windows-10-upgrade-fails-after-the-second-system) -- [Updates fix in-place upgrade to Windows 10 version 1607 problem](https://support.microsoft.com/help/4020149/updates-fix-in-place-upgrade-to-windows-10-version-1607-problem) -- [OOBE update for Windows 10 Version 1703: May 9, 2017](https://support.microsoft.com/help/4020008) -- [OOBE update for Windows 10 Version 1607: May 30, 2017](https://support.microsoft.com/help/4022632) -- [OOBE update for Windows 10 Version 1511: May 30, 2017](https://support.microsoft.com/help/4022633) ## Solutions related to configuring or managing the Start menu - [Manage Windows 10 Start and taskbar layout](/windows/configuration/windows-10-start-layout-options-and-policies) @@ -57,7 +66,8 @@ These are the top Microsoft Support solutions for the most common issues experie - [Modern apps are blocked by security software when you start the applications on Windows 10 Version 1607](https://support.microsoft.com/help/4016973/modern-apps-are-blocked-by-security-software-when-you-start-the-applic) ## Solutions related to wireless networking and 802.1X authentication - +- [Advanced Troubleshooting Wireless Network](Connectivity]https://docs.microsoft.com/en-us/windows/client-management/advanced-troubleshooting-wireless-network-connectivity) +- [Advanced Troubleshooting 802.1x Authentication](https://docs.microsoft.com/en-us/windows/client-management/advanced-troubleshooting-802-authentication) +- [Troubleshooting Windows 802.11 Wireless Connections](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-vista/cc766215(v=ws.10)) +- [Troubleshooting Windows Secure 802.3 Wired Connections](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-vista/cc749352(v%3dws.10)) - [Windows 10 devices can't connect to an 802.1X environment](https://support.microsoft.com/kb/3121002) -- [Windows 10 wireless connection displays "Limited" status](https://support.microsoft.com/kb/3114149) -- [Computer that has VPN software installed can't detect wireless network after upgrading to Windows 10](https://support.microsoft.com/kb/3084164) diff --git a/windows/client-management/windows-version-search.md b/windows/client-management/windows-version-search.md index a99249bc6b..54bb8122b7 100644 --- a/windows/client-management/windows-version-search.md +++ b/windows/client-management/windows-version-search.md @@ -15,7 +15,7 @@ ms.date: 04/30/2018 To determine if your device is enrolled in the [Long-Term Servicing Channel](https://docs.microsoft.com/windows/deployment/update/waas-overview#servicing-channels) (LTSC, formerly LTSB) or the [Semi-Annual Channel](https://docs.microsoft.com/windows/deployment/update/waas-overview#servicing-channels) (SAC) you'll need to know what version of Windows 10 you're running. There are a few ways to figure this out. Each method provides a different set of details, so it’s useful to learn about all of them. ## System Properties -Click **Start** > **Settings** > **Settings** > click **About** from the bottom of the left-hand menu +Click **Start** > **Settings** > **System** > click **About** from the bottom of the left-hand menu You'll now see **Edition**, **Version**, and **OS Build** information. Something like this: diff --git a/windows/configuration/kiosk-policies.md b/windows/configuration/kiosk-policies.md index 3a810a03ce..8eef8af221 100644 --- a/windows/configuration/kiosk-policies.md +++ b/windows/configuration/kiosk-policies.md @@ -61,7 +61,7 @@ Remove All Programs list from the Start Menu | Enabled – Remove and disable s Prevent access to drives from My Computer | Enabled - Restrict all drivers >[!NOTE] ->When **Prevent access to drives from My Computer** is enabled, users can browse the directory structure in File Explorer, but they cannot open folders and access the contents. Also, they cannot use the **Run** dialog box or the **Map Network Drive** dialog box to view the directories on these drives. The icons representing the specified drives still appear in File Explorer, but if users double-click the icons, a message appears expalining that a setting prevents the action. This setting does not prevent users from using programs to access local and network drives. It does not prevent users from using the Disk Management snap-in to view and change drive characteristics. +>When **Prevent access to drives from My Computer** is enabled, users can browse the directory structure in File Explorer, but they cannot open folders and access the contents. Also, they cannot use the **Run** dialog box or the **Map Network Drive** dialog box to view the directories on these drives. The icons representing the specified drives still appear in File Explorer, but if users double-click the icons, a message appears explaining that a setting prevents the action. This setting does not prevent users from using programs to access local and network drives. It does not prevent users from using the Disk Management snap-in to view and change drive characteristics. diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md index 46423972f4..232a0d1e60 100644 --- a/windows/configuration/lock-down-windows-10-to-specific-apps.md +++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md @@ -315,7 +315,7 @@ The following example hides the taskbar: ``` >[!IMPORTANT] ->The kiosk profile is designed for public-facing kiosk devices. We recommend that you use a local, non-administrator account. If the device is connected to your company network, using a domain or Azure Active Direcotry account could potentially compromise confidential information. +>The kiosk profile is designed for public-facing kiosk devices. We recommend that you use a local, non-administrator account. If the device is connected to your company network, using a domain or Azure Active Directory account could potentially compromise confidential information. #### Configs @@ -619,7 +619,7 @@ Remove All Programs list from the Start Menu | Enabled – Remove and disable s Prevent access to drives from My Computer | Enabled - Restrict all drivers >[!NOTE] ->When **Prevent access to drives from My Computer** is enabled, users can browse the directory structure in File Explorer, but they cannot open folders and access the contents. Also, they cannot use the **Run** dialog box or the **Map Network Drive** dialog box to view the directories on these drives. The icons representing the specified drives still appear in File Explorer, but if users double-click the icons, a message appears expalining that a setting prevents the action. This setting does not prevent users from using programs to access local and network drives. It does not prevent users from using the Disk Management snap-in to view and change drive characteristics. +>When **Prevent access to drives from My Computer** is enabled, users can browse the directory structure in File Explorer, but they cannot open folders and access the contents. Also, they cannot use the **Run** dialog box or the **Map Network Drive** dialog box to view the directories on these drives. The icons representing the specified drives still appear in File Explorer, but if users double-click the icons, a message appears explaining that a setting prevents the action. This setting does not prevent users from using programs to access local and network drives. It does not prevent users from using the Disk Management snap-in to view and change drive characteristics. diff --git a/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md b/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md index 585fe8822f..eea5619b50 100644 --- a/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md +++ b/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md @@ -84,7 +84,7 @@ Review the following tables for details about Office support in UE-V:

    Microsoft PowerPoint 2016

    Microsoft Project 2016

    Microsoft Publisher 2016

    -

    Microsoft SharePoint Designer 2013 (not udpated for 2016)

    +

    Microsoft SharePoint Designer 2013 (not updated for 2016)

    Microsoft Visio 2016

    Microsoft Word 2016

    Microsoft Office Upload Manager

    diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md index a70b584daf..c1d98d727b 100644 --- a/windows/deployment/deploy-enterprise-licenses.md +++ b/windows/deployment/deploy-enterprise-licenses.md @@ -73,7 +73,7 @@ For more information about integrating on-premises AD DS domains with Azure AD, ## Preparing for deployment: reviewing requirements -Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices), later in this topic. +Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices), later in this topic. ## Assigning licenses to users @@ -225,7 +225,7 @@ Use the following figures to help you troubleshoot when users experience these c ### Review requirements on devices -Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. You can use the following procedures to review whether a particular device meets requirements. +Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. You can use the following procedures to review whether a particular device meets requirements. **To determine if a device is Azure Active Directory joined:** diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md index be1e1f9ea7..b00555481d 100644 --- a/windows/deployment/deploy-whats-new.md +++ b/windows/deployment/deploy-whats-new.md @@ -26,7 +26,7 @@ This topic provides an overview of new solutions and online content related to d ## The Modern Desktop Deployment Center -The [Modern Destop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home) has launched with tons of content to help you with large-scale deployment of Windows 10 and Office 365 ProPlus. +The [Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home) has launched with tons of content to help you with large-scale deployment of Windows 10 and Office 365 ProPlus. ## Windows 10 servicing and support diff --git a/windows/deployment/planning/windows-10-1809-removed-features.md b/windows/deployment/planning/windows-10-1809-removed-features.md index fe64501dab..0c87d5a683 100644 --- a/windows/deployment/planning/windows-10-1809-removed-features.md +++ b/windows/deployment/planning/windows-10-1809-removed-features.md @@ -7,7 +7,7 @@ ms.localizationpriority: medium ms.sitesec: library author: lizap ms.author: elizapo -ms.date: 08/31/2018 +ms.date: 11/16/2018 --- # Features removed or planned for replacement starting with Windows 10, version 1809 @@ -32,7 +32,7 @@ We're removing the following features and functionalities from the installed pro |Hologram app|We've replaced the Hologram app with the [Mixed Reality Viewer](https://support.microsoft.com/help/4041156/windows-10-mixed-reality-help). If you would like to create 3D word art, you can still do that in Paint 3D and view your art in VR or Hololens with the Mixed Reality Viewer.| |limpet.exe|We're releasing the limpet.exe tool, used to access TPM for Azure connectivity, as open source.| |Phone Companion|When you update to Windows 10, version 1809, the Phone Companion app will be removed from your PC. Use the **Phone** page in the Settings app to sync your mobile phone with your PC. It includes all the Phone Companion features.| -|Future updates through [Windows Embedded Developer Update](https://docs.microsoft.com/previous-versions/windows/embedded/ff770079\(v=winembedded.60\)) for Windows Embedded Standard 8 and Windows Embedded 8 Standard|We’re no longer publishing new updates to the WEDU server. Instead, you may secure any new updates from the [Microsoft Update Catalog](http://www.catalog.update.microsoft.com/Home.aspx).| +|Future updates through [Windows Embedded Developer Update](https://docs.microsoft.com/previous-versions/windows/embedded/ff770079\(v=winembedded.60\)) for Windows Embedded Standard 7-SP1 (WES7-SP1) and Windows Embedded Standard 8 (WES8)|We’re no longer publishing new updates to the WEDU server. Instead, you may secure any new updates from the [Microsoft Update Catalog](http://www.catalog.update.microsoft.com/Home.aspx). [Learn how](https://techcommunity.microsoft.com/t5/Windows-Embedded/Change-to-the-Windows-Embedded-Developer-Update/ba-p/285704) to get updates from the catalog.| ## Features we’re no longer developing diff --git a/windows/deployment/planning/windows-10-enterprise-faq-itpro.md b/windows/deployment/planning/windows-10-enterprise-faq-itpro.md index b79237a3e1..7dcb96facc 100644 --- a/windows/deployment/planning/windows-10-enterprise-faq-itpro.md +++ b/windows/deployment/planning/windows-10-enterprise-faq-itpro.md @@ -1,7 +1,7 @@ --- title: Windows 10 Enterprise FAQ for IT pros (Windows 10) description: Get answers to common questions around compatibility, installation, and support for Windows 10 Enterprise. -keywords: Windows 10 Enterprise, download, system requirements, drivers, appcompat, manage udpates, Windows as a service, servicing channels, deployment tools +keywords: Windows 10 Enterprise, download, system requirements, drivers, appcompat, manage updates, Windows as a service, servicing channels, deployment tools ms.prod: w10 ms.mktglfcycl: plan ms.localizationpriority: medium diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md index 0b00273fa8..b44f133b50 100644 --- a/windows/deployment/update/waas-configure-wufb.md +++ b/windows/deployment/update/waas-configure-wufb.md @@ -7,7 +7,7 @@ ms.sitesec: library author: jaimeo ms.localizationpriority: medium ms.author: jaimeo -ms.date: 06/01/2018 +ms.date: 11/16/2018 --- # Configure Windows Update for Business @@ -20,10 +20,6 @@ ms.date: 06/01/2018 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) ->[!IMPORTANT] ->Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB, and LTSB might still appear in some of our products. -> ->In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel. You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. The sections in this topic provide the Group Policy and MDM policies for Windows 10, version 1511 and above. The MDM policies use the OMA-URI setting from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). @@ -40,83 +36,77 @@ By grouping devices with similar deferral periods, administrators are able to cl >In addition to setting up multiple rings for your update deployments, also incorporate devices enrolled in the Windows Insider Program as part of your deployment strategy. This will provide you the chance to not only evaluate new features before they are broadly available to the public, but it also increases the lead time to provide feedback and influence Microsoft’s design on functional aspects of the product. For more information on Windows Insider program, see [https://insider.windows.com/](https://insider.windows.com/). -## Configure devices for Current Branch (CB) or Current Branch for Business (CBB) -With Windows Update for Business, you can set a device to be on either the Current Branch (CB) (now called Semi-Annual Channel (Targeted)) or the Current Branch for Business (CBB) (now called Semi-Annual Channel) servicing branch. For more information on this servicing model, see [Windows 10 servicing options](waas-overview.md#servicing-channels). + +## Configure devices for the appropriate service channel + +With Windows Update for Business, you can set a device to be on either Windows Insider Preview or the Semi-Annual Channel servicing branch. For more information on this servicing model, see [Windows 10 servicing options](waas-overview.md#servicing-channels). **Release branch policies** | Policy | Sets registry key under **HKLM\Software** | | --- | --- | -| GPO for version 1607 and above:
    Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\BranchReadinessLevel | -| GPO for version 1511:
    Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpgrade | -| MDM for version 1607 and above:
    ../Vendor/MSFT/Policy/Config/Update/
    **BranchReadinessLevel** | \Microsoft\PolicyManager\default\Update\BranchReadinessLevel | -| MDM for version 1511:
    ../Vendor/MSFT/Policy/Config/Update/
    **RequireDeferUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpgrade | +| GPO for Windows 10, version 1607 or later:
    Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\BranchReadinessLevel | +| GPO for Windows 10, version 1511:
    Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpgrade | +| MDM for Windows 10, version 1607 or later:
    ../Vendor/MSFT/Policy/Config/Update/
    **BranchReadinessLevel** | \Microsoft\PolicyManager\default\Update\BranchReadinessLevel | +| MDM for Windows 10, version 1511:
    ../Vendor/MSFT/Policy/Config/Update/
    **RequireDeferUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpgrade | -Starting with version 1703, users are able to configure their device's branch readiness level, by going to **Settings > Update & security > Windows Update > Advanced options**. +Starting with Windows 10, version 1703, users can configure the branch readiness level for their device by using **Settings > Update & security > Windows Update > Advanced options**. ![Branch readiness level setting](images/waas-wufb-settings-branch.jpg) >[!NOTE] >Users will not be able to change this setting if it was configured by policy. ->[!IMPORTANT] ->Devices on the Semi-Annual Channel (formerly called Current Branch for Business) must have their diagnostic data set to **1 (Basic)** or higher, in order to ensure that the service is performing at the expected quality. If diagnostic data is set to **0**, the device will be treated as if it were in the Semi-Annual Channel (Targeted)(formerly called Current Branch or CB) branch. For instructions to set the diagnostic data level, see [Configure the operating system diagnostic data level](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-levels). -## Configure when devices receive Feature Updates +## Configure when devices receive feature updates -After you configure the servicing branch (CB or CBB), you can then define if, and for how long, you would like to defer receiving Feature Updates following their availability from Microsoft on Windows Update. You can defer receiving these Feature Updates for a period of up to 365 days from their release by setting the `DeferFeatureUpdatesPeriodinDays` value. +After you configure the servicing branch (Windows Insider Preview or Semi-Annual Channel), you can then define if, and for how long, you would like to defer receiving Feature Updates following their availability from Microsoft on Windows Update. You can defer receiving these Feature Updates for a period of up to 365 days from their release by setting the `DeferFeatureUpdatesPeriodinDays` value. >[!IMPORTANT] ->This policy does not apply to Windows 10 Mobile Enterprise. > ->You can only defer up to 180 days prior to version 1703. +>You can only defer up to 180 days on devices running Windows 10, version 1703. -**Examples** +For example, a device on the Semi-Annual Channel with `DeferFeatureUpdatesPeriodinDays=30` will not install a feature update that is first publicly available on Windows Update in September until 30 days later, in October. -| Settings | Scenario and behavior | -| --- | --- | -| Device is on CB
    DeferFeatureUpdatesPeriodinDays=30 | Feature Update X is first publically available on Windows Update as a CB in January. Device will not receive update until February, 30 days later. | -| Device is on CBB
    DeferFeatureUpdatesPeriodinDays=30 | Feature Update X is first publically available on Windows Update as a CB in January. Four months later, in April, Feature Update X is released to CBB. Device will receive the Feature Update 30 days following this CBB release and will update in May. |

    -**Defer Feature Updates policies** +**Policy settings for deferring feature updates** | Policy | Sets registry key under **HKLM\Software** | | --- | --- | -| GPO for version 1607 and above:
    Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdates
    \Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdatesPeriodInDays | -| GPO for version 1511:
    Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpgradePeriod | -| MDM for version 1607 and above:
    ../Vendor/MSFT/Policy/Config/Update/
    **DeferFeatureUpdatesPeriodInDays** | \Microsoft\PolicyManager\default\Update\DeferFeatureUpdatesPeriodInDays | -| MDM for version 1511:
    ../Vendor/MSFT/Policy/Config/Update/
    **DeferUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpgrade | +| GPO for Windows 10, version 1607 later:
    Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdates
    \Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdatesPeriodInDays | +| GPO for Windows 10, version 1511:
    Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpgradePeriod | +| MDM for Windows 10, version 1607 and later:
    ../Vendor/MSFT/Policy/Config/Update/
    **DeferFeatureUpdatesPeriodInDays** | \Microsoft\PolicyManager\default\Update\DeferFeatureUpdatesPeriodInDays | +| MDM for Windows 10, version 1511:
    ../Vendor/MSFT/Policy/Config/Update/
    **DeferUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpgrade | >[!NOTE] ->If not configured by policy, users can defer feature updates, by going to **Settings > Update & security > Windows Update > Advanced options**. +>If not configured by policy, individual users can defer feature updates by using **Settings > Update & security > Windows Update > Advanced options**. -## Pause Feature Updates +## Pause feature updates -You can also pause a device from receiving Feature Updates by a period of up to 35 days from when the value is set. After 35 days has passed, pause functionality will automatically expire and the device will scan Windows Update for applicable Feature Updates. Following this scan, Feature Updates for the device can then be paused again. +You can also pause a device from receiving Feature Updates by a period of up to 35 days from when the value is set. After 35 days has passed, the pause setting will automatically expire and the device will scan Windows Update for applicable Feature Updates. Following this scan, you can then pause Feature Updates for the device again. -Starting with version 1703, when configuring pause through policy, a start date has to be set from which the pause begins. The pause period will be calculated by adding 35 days to the start date. +Starting with Windows 10, version 1703, when you configure a pause by using policy, you must set a start date for the pause to begin. The pause period is calculated by adding 35 days to this start date. -In cases where the pause policy is first applied after the configured start date has passed, administrators will be able to extend the pause period up to a total of 35 days by configuring a later start date. +In cases where the pause policy is first applied after the configured start date has passed, you can extend the pause period up to a total of 35 days by configuring a later start date. >[!IMPORTANT] ->This policy does not apply to Windows 10 Mobile Enterprise. > ->Prior to Windows 10, version 1703, feature updates could be paused by up to 60 days. This number has been changed to 35, similar to the number of days for quality updates. +>In Windows 10, version 1703 and later versions, you can pause feature updates to 35 days, similar to the number of days for quality updates. -**Pause Feature Updates policies** +**Policy settings for pausing feature updates** | Policy | Sets registry key under **HKLM\Software** | | --- | --- | -| GPO for version 1607 and above:
    Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | **1607:** \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdates
    **1703:** \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdatesStartDate | -| GPO for version 1511:
    Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\Pause | -| MDM for version 1607 and above:
    ../Vendor/MSFT/Policy/Config/Update/
    **PauseFeatureUpdates** | **1607:** \Microsoft\PolicyManager\default\Update\PauseFeatureUpdates
    **1703:** \Microsoft\PolicyManager\default\Update\PauseFeatureUpdatesStartDate | -| MDM for version 1511:
    ../Vendor/MSFT/Policy/Config/Update/
    **DeferUpgrade** | \Microsoft\PolicyManager\default\Update\Pause | +| GPO for Windows 10, version 1607 and later:
    Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | **1607:** \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdates
    **1703 and later:** \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdatesStartDate | +| GPO for Windows 10, version 1511:
    Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\Pause | +| MDM for Windows 10, version 1607 and later:
    ../Vendor/MSFT/Policy/Config/Update/
    **PauseFeatureUpdates** | **1607:** \Microsoft\PolicyManager\default\Update\PauseFeatureUpdates
    **1703 and later:** \Microsoft\PolicyManager\default\Update\PauseFeatureUpdatesStartDate | +| MDM for Windows 10, version 1511:
    ../Vendor/MSFT/Policy/Config/Update/
    **DeferUpgrade** | \Microsoft\PolicyManager\default\Update\Pause | -You can check the date Feature Updates were paused at by checking the registry key **PausedFeatureDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**. +You can check the date that Feature Updates were paused by checking the registry key **PausedFeatureDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**. -The local group policy editor (GPEdit.msc) will not reflect if your Feature Update Pause period has expired. Although the device will resume Feature Updates after 35 days automatically, the pause checkbox will remain checked in the policy editor. To see if a device has auto-resumed taking Feature Updates, you can check the status registry key **PausedFeatureStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**. +The local group policy editor (GPEdit.msc) will not reflect whether the Feature Update pause period has expired. Although the device will resume Feature Updates after 35 days automatically, the pause checkbox will remain selected in the policy editor. To check whether a device has automatically resumed taking Feature Updates, check the status registry key **PausedFeatureStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings** for the following values: | Value | Status| | --- | --- | @@ -125,58 +115,58 @@ The local group policy editor (GPEdit.msc) will not reflect if your Feature Upda | 2 | Feature Updates have auto-resumed after being paused | >[!NOTE] ->If not configured by policy, users can pause feature updates, by going to **Settings > Update & security > Windows Update > Advanced options**. +>If not configured by policy, individual users can pause feature updates by using **Settings > Update & security > Windows Update > Advanced options**. -With version 1703, pausing through the settings app will provide a more consistent experience: -- Any active restart notification are cleared or closed -- Any pending restarts are canceled -- Any pending update installations are canceled -- Any update installation running when pause is activated will attempt to rollback +Starting with Windows 10, version 1703, using Settings to control the pause behavior provides a more consistent experience, specifically: +- Any active restart notification are cleared or closed. +- Any pending restarts are canceled. +- Any pending update installations are canceled. +- Any update installation running when pause is activated will attempt to roll back. ## Configure when devices receive Quality Updates -Quality Updates are typically published the first Tuesday of every month, though can be released at any time by Microsoft. You can define if, and for how long, you would like to defer receiving Quality Updates following their availability. You can defer receiving these Quality Updates for a period of up to 35 days from their release by setting the **DeferQualityUpdatesPeriodinDays** value. +Quality Updates are typically published on the first Tuesday of every month, although they can be released at any time. You can define if, and for how long, you would like to defer receiving Quality Updates following their availability. You can defer receiving these Quality Updates for a period of up to 35 days from their release by setting the **DeferQualityUpdatesPeriodinDays** value. -You can set your system to receive updates for other Microsoft products—known as Microsoft Updates (such as Microsoft Office, Visual Studio)—along with Windows Updates by setting the **AllowMUUpdateService** policy. When this is done, these Microsoft Updates will follow the same deferral and pause rules as all other Quality Updates. +You can set your system to receive updates for other Microsoft products—known as Microsoft Updates (such as Microsoft Office, Visual Studio)—along with Windows Updates by setting the **AllowMUUpdateService** policy. When you do this, these Microsoft Updates will follow the same deferral and pause rules as all other Quality Updates. >[!IMPORTANT] >This policy defers both Feature and Quality Updates on Windows 10 Mobile Enterprise. -**Defer Quality Updates policies** +**Policy settings for deferring quality updates** | Policy | Sets registry key under **HKLM\Software** | | --- | --- | -| GPO for version 1607 and above:
    Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Quality Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\DeferQualityUpdates
    \Policies\Microsoft\Windows\WindowsUpdate\DeferQualityUpdatesPeriodInDays | -| GPO for version 1511:
    Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpdatePeriod | -| MDM for version 1607 and above:
    ../Vendor/MSFT/Policy/Config/Update/
    **DeferQualityUpdatesPeriodInDays** | \Microsoft\PolicyManager\default\Update\DeferQualityUpdatesPeriodInDays | -| MDM for version 1511:
    ../Vendor/MSFT/Policy/Config/Update/
    **DeferUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpdate | +| GPO for Windows 10, version 1607 and later:
    Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Quality Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\DeferQualityUpdates
    \Policies\Microsoft\Windows\WindowsUpdate\DeferQualityUpdatesPeriodInDays | +| GPO for Windows 10, version 1511:
    Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpdatePeriod | +| MDM for Windows 10, version 1607 and later:
    ../Vendor/MSFT/Policy/Config/Update/
    **DeferQualityUpdatesPeriodInDays** | \Microsoft\PolicyManager\default\Update\DeferQualityUpdatesPeriodInDays | +| MDM for Windows 10, version 1511:
    ../Vendor/MSFT/Policy/Config/Update/
    **DeferUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpdate | >[!NOTE] ->If not configured by policy, users can defer quality updates, by going to **Settings > Update & security > Windows Update > Advanced options**. +>If not configured by policy, individual users can defer quality updates by using **Settings > Update & security > Windows Update > Advanced options**. -## Pause Quality Updates +## Pause quality updates -You can also pause a system from receiving Quality Updates for a period of up to 35 days from when the value is set. After 35 days has passed, pause functionality will automatically expire and the system will scan Windows Updates for applicable Quality Updates. Following this scan, Quality Updates for the device can then be paused again. +You can also pause a system from receiving Quality Updates for a period of up to 35 days from when the value is set. After 35 days has passed, the pause setting will automatically expire and the device will scan Windows Update for applicable quality Updates. Following this scan, you can then pause quality Updates for the device again. -Starting with version 1703, when configuring pause through policy, a start date has to be set from which the pause begins. The pause period will be calculated by adding 35 days to the start date. +Starting with Windows 10, version 1703, when you configure a pause by using policy, you must set a start date for the pause to begin. The pause period is calculated by adding 35 days to this start date. -In cases where the pause policy is first applied after the configured start date has passed, administrators will be able to extend the pause period up to a total of 35 days by configuring a later start date. +In cases where the pause policy is first applied after the configured start date has passed, you can extend the pause period up to a total of 35 days by configuring a later start date. ->[!IMPORTANT] ->This policy pauses both Feature and Quality Updates on Windows 10 Mobile Enterprise. +>[!NOTE] +>Starting with Windows 10, version 1809, IT administrators can prevent individual users from pausing updates. -**Pause Quality Updates policies** +**Policy settings for pausing quality updates** | Policy | Sets registry key under **HKLM\Software** | | --- | --- | -| GPO for version 1607 and above:
    Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Quality Updates are received** |**1607:** \Policies\Microsoft\Windows\WindowsUpdate\PauseQualityUpdates
    **1703:** \Policies\Microsoft\Windows\WindowsUpdate\PauseQualityUpdatesStartTime | -| GPO for version 1511:
    Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\Pause | -| MDM for version 1607 and above:
    ../Vendor/MSFT/Policy/Config/Update/
    **PauseQualityUpdates** | **1607:** \Microsoft\PolicyManager\default\Update\PauseQualityUpdates
    **1703:** \Microsoft\PolicyManager\default\Update\PauseQualityUpdatesStartTime | -| MDM for version 1511:
    ../Vendor/MSFT/Policy/Config/Update/
    **DeferUpgrade** | \Microsoft\PolicyManager\default\Update\Pause | +| GPO for Windows 10, version 1607 and later:
    Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Quality Updates are received** |**1607:** \Policies\Microsoft\Windows\WindowsUpdate\PauseQualityUpdates
    **1703:** \Policies\Microsoft\Windows\WindowsUpdate\PauseQualityUpdatesStartTime | +| GPO for Windows 10, version 1511:
    Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\Pause | +| MDM for Windows 10, version 1607 and later:
    ../Vendor/MSFT/Policy/Config/Update/
    **PauseQualityUpdates** | **1607:** \Microsoft\PolicyManager\default\Update\PauseQualityUpdates
    **1703:** \Microsoft\PolicyManager\default\Update\PauseQualityUpdatesStartTime | +| MDM for Windows 10, version 1511:
    ../Vendor/MSFT/Policy/Config/Update/
    **DeferUpgrade** | \Microsoft\PolicyManager\default\Update\Pause | -You can check the date that Quality Updates were paused at by checking the registry key **PausedQualityDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**. +You can check the date that quality Updates were paused by checking the registry key **PausedQualityDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**. -The local group policy editor (GPEdit.msc) will not reflect if your Quality Update Pause period has expired. Although the device will resume Quality Updates after 35 days automatically, the pause checkbox will remain checked in the policy editor. To see if a device has auto-resumed taking Quality Updates, you can check the status registry key **PausedQualityStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**. +The local group policy editor (GPEdit.msc) will not reflect whether the quality Update pause period has expired. Although the device will resume quality Updates after 35 days automatically, the pause checkbox will remain selected in the policy editor. To check whether a device has automatically resumed taking quality Updates, check the status registry key **PausedQualityStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings** for the following values: | Value | Status| | --- | --- | @@ -185,21 +175,22 @@ The local group policy editor (GPEdit.msc) will not reflect if your Quality Upda | 2 | Quality Updates have auto-resumed after being paused | >[!NOTE] ->If not configured by policy, users can pause quality updates, by going to **Settings > Update & security > Windows Update > Advanced options**. +>If not configured by policy, individual users can pause quality updates by using **Settings > Update & security > Windows Update > Advanced options**. -With version 1703, pausing through the settings app will provide a more consistent experience: +Starting with Windows 10, version 1703, using Settings to control the pause behavior provides a more consistent experience, specifically: - Any active restart notification are cleared or closed - Any pending restarts are canceled - Any pending update installations are canceled - Any update installation running when pause is activated will attempt to rollback -## Configure when devices receive Windows Insider preview builds +## Configure when devices receive Windows Insider Preview builds Starting with Windows 10, version 1709, you can set policies to manage preview builds and their delivery: The **Manage preview builds** setting gives administrators control over enabling or disabling preview build installation on a device. You can also decide to stop preview builds once the release is public. * Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/Windows Update for Business** - *Manage preview builds* * MDM: **Update/ManagePreviewBuilds** +* System Center Configuration Manager: **Enable dual scan, manage through Windows Update for Business policy** >[!IMPORTANT] >This policy replaces the "Toggle user control over Insider builds" policy under that is only supported up to Windows 10, version 1703. You can find the older policy here: @@ -212,18 +203,18 @@ The policy settings to **Select when Feature Updates are received** allows you t ## Exclude drivers from Quality Updates -In Windows 10, starting with version 1607, you can selectively option out of receiving driver update packages as part of your normal quality update cycle. This policy will not pertain to updates to inbox drivers (which will be packaged within a security or critical update) or to Feature Updates, where drivers may be dynamically installed to ensure the Feature Update process can complete. +Starting with Windows 10, version 1607, you can selectively opt out of receiving driver update packages as part of your normal quality update cycle. This policy will not apply to updates to drivers provided with the operating system (which will be packaged within a security or critical update) or to Feature Updates, where drivers might be dynamically installed to ensure the Feature Update process can complete. -**Exclude driver policies** +**Policy settings to exclude drivers** | Policy | Sets registry key under **HKLM\Software** | | --- | --- | -| GPO for version 1607 and above:
    Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Do not include drivers with Windows Updates** | \Policies\Microsoft\Windows\WindowsUpdate\ExcludeWUDriversInQualityUpdate | -| MDM for version 1607 and above:
    ../Vendor/MSFT/Policy/Config/Update/
    **ExcludeWUDriversInQualityUpdate** | \Microsoft\PolicyManager\default\Update\ExcludeWUDriversInQualityUpdate | +| GPO for Windows 10, version 1607 and later:
    Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Do not include drivers with Windows Updates** | \Policies\Microsoft\Windows\WindowsUpdate\ExcludeWUDriversInQualityUpdate | +| MDM for Windows 10, version 1607 and later:
    ../Vendor/MSFT/Policy/Config/Update/
    **ExcludeWUDriversInQualityUpdate** | \Microsoft\PolicyManager\default\Update\ExcludeWUDriversInQualityUpdate | -## Summary: MDM and Group Policy for version 1703 +## Summary: MDM and Group Policy settings for Windows 10, version 1703 and later -Below are quick-reference tables of the supported Windows Update for Business policy values for Windows 10, version 1607 and above. +The following are quick-reference tables of the supported policy values for Windows Update for Business in Windows 10, version 1607 and later. **GPO: HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate** @@ -252,25 +243,14 @@ Below are quick-reference tables of the supported Windows Update for Business po ## Update devices to newer versions -Due to the changes in the Windows Update for Business feature set, Windows 10, version 1607, uses different GPO and MDM keys than those available in version 1511. Windows 10, version 1703, also uses a few GPO and MDM keys that are different to what's available in version 1607. However, Windows Update for Business clients running version older versions will still see their policies honored after they update to a newer version; the old policy keys will continue to exist with their values ported forward during the update. Following the update to a newer version, it should be noted that only the old keys will be populated and not the new version keys, until the newer keys are explicitly defined on the device by the administrator. +Due to the changes in Windows Update for Business, Windows 10, version 1607 uses different GPO and MDM keys than those available in version 1511. Windows 10, version 1703 also uses a few GPO and MDM keys that are different from those available in version 1607. However, Windows Update for Business devices running older versions will still see their policies honored after they update to a newer version; the old policy keys will continue to exist with their values ported forward during the update. Following the update to a newer version, only the old keys will be populated and not the new version keys, until the newer keys are explicitly defined on the device by the administrator. ### How older version policies are respected on newer versions -When a client running a newer version sees an update available on Windows Update, the client will first evaluate and execute against the Windows Updates for Business policy keys for it's version. If these are not present, it will then check to see if any of the older version keys are set and defer accordingly. Update keys for newer versions will always supersede the older equivalent. +When a device running a newer version sees an update available on Windows Update, the device first evaluates and executes the Windows Updates for Business policy keys for its current (newer) version. If these are not present, it then checks whether any of the older version keys are set and defer accordingly. Update keys for newer versions will always supersede the older equivalent. -### Comparing the version 1511 keys to the version 1607 keys -In the Windows Update for Business policies in version 1511, all the deferral rules were grouped under a single policy where pausing affected both upgrades and updates. In Windows 10, version 1607, this functionality has been broken out into separate polices: deferral of Feature and Quality Updates can be enabled and paused independently of one other. - - - -
    Group Policy keys
    Version 1511 GPO keysVersion 1607 GPO keys
    **DeferUpgrade**: *enable/disable*
    Enabling allows user to set deferral periods for upgrades and updates. It also puts the device on CBB (no ability to defer updates while on the CB branch).

    **DeferUpgradePeriod**: *0 - 8 months*

    **DeferUpdatePeriod**: *1 – 4 weeks*

    **Pause**: *enable/disable*
    Enabling will pause both upgrades and updates for a max of 35 days
    		**DeferFeatureUpdates**: *enable/disable*

    **BranchReadinessLevel**
    Set device on CB or CBB

    **DeferFeatureUpdatesPeriodinDays**: *1 - 180 days*

    **PauseFeatureUpdates**: *enable/disable*
    Enabling will pause Feature updates for a max of 60 days

    **DeferQualityUpdates**: *Enable/disable*

    **DeferQualityUpdatesPeriodinDays**: *0 - 35 days*

    **PauseQualityUpdates**: *enable/disable*
    Enabling will pause Quality updates for a max of 35 days

    **ExcludeWUDrivers**: *enable/disable*
    - - - -
    MDM keys
    Version 1511 MDM keysVersion 1607 MDM keys
    **RequireDeferUpgade**: *bool*
    Puts the device on CBB (no ability to defer updates while on the CB branch).

    **DeferUpgradePeriod**: *0 - 8 months*

    **DeferUpdatePeriod**: *1 – 4 weeks*

    **PauseDeferrals**: *bool*
    Enabling will pause both upgrades and updates for a max of 35 days
    		**BranchReadinessLevel**
    Set system on CB or CBB

    **DeferFeatureUpdatesPeriodinDays**: *1 - 180 days*

    **PauseFeatureUpdates**: *enable/disable*
    Enabling will pause Feature updates for a max of 60 days

    **DeferQualityUpdatesPeriodinDays**: *0 - 35 days*

    **PauseQualityUpdates**: *enable/disable*
    Enabling will pause Quality updates for a max of 35 days

    **ExcludeWUDriversInQualityUpdate**: *enable/disable*
    - -### Comparing the version 1607 keys to the version 1703 keys +### Comparing keys in Windows 10, version 1607 to Windows 10, version 1703 | Version 1607 key | Version 1703 key | | --- | --- | diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md index bab0085402..4df6cd83e0 100644 --- a/windows/deployment/update/waas-manage-updates-wufb.md +++ b/windows/deployment/update/waas-manage-updates-wufb.md @@ -7,7 +7,7 @@ ms.sitesec: library author: jaimeo ms.localizationpriority: medium ms.author: jaimeo -ms.date: 06/01/2018 +ms.date: 11/16/2018 --- # Deploy updates using Windows Update for Business @@ -20,12 +20,9 @@ ms.date: 06/01/2018 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) ->[!IMPORTANT] ->Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB, and LTSB might still apear in some of our products. -> ->In the following settings, CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel. -Windows Update for Business enables information technology administrators to keep the Windows 10 devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service. You can use Group Policy or MDM solutions such as Intune to configure the Windows Update for Business settings that control how and when Windows 10 devices are updated. In addition, by using Intune, organizations can manage devices that are not joined to a domain at all or are joined to Microsoft Azure Active Directory (Azure AD) alongside your on-premises domain-joined machines. Windows Update for Business leverages diagnostic data to provide reporting and insights into an organization's Windows 10 devices. + +Windows Update for Business enables information technology administrators to keep the Windows 10 devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service. You can use Group Policy or MDM solutions such as Intune to configure the Windows Update for Business settings that control how and when Windows 10 devices are updated. In addition, by using Intune, organizations can manage devices that are not joined to a domain at all or are joined to Microsoft Azure Active Directory (Azure AD) alongside your on-premises domain-joined devices. Windows Update for Business leverages diagnostic data to provide reporting and insights into an organization's Windows 10 devices. Specifically, Windows Update for Business allows for: @@ -35,7 +32,7 @@ Specifically, Windows Update for Business allows for: - Peer-to-peer delivery for Microsoft updates, which optimizes bandwidth efficiency and reduces the need for an on-site server caching solution. - Control over diagnostic data level to provide reporting and insights in Windows Analytics. -Windows Update for Business is a free service that is available for Windows Pro, Enterprise, Pro Education, and Education. +Windows Update for Business is a free service that is available for Windows Pro, Enterprise, Pro Education, and Education editions. >[!NOTE] >See [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) to learn more about deployment rings in Windows 10. @@ -48,79 +45,70 @@ Windows Update for Business provides three types of updates to Windows 10 device - **Quality Updates**: these are traditional operating system updates, typically released the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates. Windows Update for Business also treats non-Windows updates (such as those for Microsoft Office or Visual Studio) as Quality Updates. These non-Windows Updates are known as *Microsoft Updates* and devices can be optionally configured to receive such updates along with their Windows Updates. - **Non-deferrable updates**: Currently, antimalware and antispyware Definition Updates from Windows Update cannot be deferred. -Both Feature and Quality Updates can be deferred from deploying to client devices by a Windows Update for Business administrator within a bounded range of time from when those updates are first made available on the Windows Update Service. This deferral capability allows administrators to validate deployments as they are pushed to all client devices configured for Windows Update for Business. +Both Feature and Quality Updates can be deferred from deploying to client devices by a Windows Update for Business administrator within a bounded range of time from when those updates are first made available on the Windows Update Service. This deferral capability allows administrators to validate deployments as they are pushed to all client devices configured for Windows Update for Business. Deferrals work by allowing you to specify the number of days after an update is released before it is offered to a device (if you set a deferral period of 365 days, the update will not be offered until 365 days after that update was released). -| Category | Maximum deferral | Deferral increments | Example | Classification GUID | +| Category | Maximum deferral | Deferral increments | Example | WSUS classification GUID | | --- | --- | --- | --- | --- | -| Feature Updates | 365 days | Days | From Windows 10, version 1511 to version 1607 maximum was 180 days
    In Windows 10, version 1703 maximum is 365 | 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5 | -| Quality Updates | 30 days | Days | Security updates
    Drivers (optional)
    Non-security updates
    Microsoft updates (Office,Visual Studio, etc.) | 0FA1201D-4330-4FA8-8AE9-B877473B6441
    EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0
    CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83
    varies | +| Feature Updates | 365 days | Days | From Windows 10, version 1511 to version 1607 maximum was 180 days.
    From Windows 10, version 1703 to version 1809, the maximum is 365 days. | 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5 | +| Quality Updates | 30 days | Days | Security updates
    Drivers (optional)
    Non-security updates
    Microsoft updates (Office,Visual Studio, etc.) | 0FA1201D-4330-4FA8-8AE9-B877473B6441

    EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0

    CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83

    varies | | Non-deferrable | No deferral | No deferral | Definition updates | E0789628-CE08-4437-BE74-2495B842F43B | >[!NOTE] >For information about classification GUIDs, see [WSUS Classification GUIDs](https://msdn.microsoft.com/library/ff357803.aspx). -## Changes to Windows Update for Business in Windows 10, version 1709 +## Windows Update for Business in various Windows 10 versions -The group policy path for Windows Update for Business was changed to correctly reflect its association to Windows Update for Business. +Windows Update for Business was first available in Windows 10, version 1511. This diagram lists new or changed capabilities and updated behavior in subsequent versions. -| Prior to Windows 10, version 1709 | Windows 10, version 1709 | -| --- | --- | -| Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Update | Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business | -We have added the ability to manage Windows Insider preview builds and their delivery: +| Windows 10, version 1511 | 1607 | 1703 | 1709 | 1803 | 1809 | +| --- | --- | --- | --- | --- | --- | +| Defer quality updates
    Defer feature updates
    Pause updates | All 1511 features, plus: **WSUS integration** | All 1607 features, plus **Settings controls** | All 1703 features, plus **Ability to set slow vs. fast Insider Preview branch** | All 1709 features, plus **Uninstall updates remotely** | All 1803 features, plus **Option to use default automatic updates**
    **Ability to set separate deadlines for feature vs. quality updates**
    **Admins can prevent users from pausing updates** +## Managing Windows Update for Business with Group Policy -The **Manage preview builds** setting gives administrators control over enabling or disabling preview build installation on a device. You can also decide to stop preview builds once the release is public. -* Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/Windows Update for Business** - *Manage preview builds* -* MDM: **Update/ManagePreviewBuilds** +The group policy path for Windows Update for Business has changed to correctly reflect its association to Windows Update for Business and provide the ability to easily manage pre-release Windows Insider Preview builds in Windows 10, version 1709. ->[!IMPORTANT] ->This policy replaces the "Toggle user control over Insider builds" policy under that is only supported up to Windows 10, version 1703. You can find the older policy here: ->* Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Data Collection and Preview Builds/Toggle user control over Insider builds** ->* MDM: **System/AllowBuildPreview** +| Action | Windows 10 versions prior to 1709 | Windows 10 versions after 1709 | +| --- | --- | --- | +| Set Windows Update for Business Policies | Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Update | Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business | +| Manage Windows Insider Preview builds | Computer Configuration/Administrative Templates/Windows Components/Data Collection and Preview Builds/Toggle user control over Insider builds | Computer Configuration/Administrative Templates/Windows Components/Windows Update/Windows Update for Business - *Manage preview builds* | +| Manage when updates are received | Select when Feature Updates are received | Select when Preview Builds and Feature Updates are received
    (Computer Configuration/Administrative Templates/Windows Components/Windows Update/ Windows Update for Business - **Select when Preview Builds and Feature Updates are received**) | -The policy settings to **Select when Feature Updates are received** is now called **Select when Preview Builds and Feature Updates are received**. In addition to previous functionality, it now allows you to choose between preview flight rings, and allows you to defer or pause their delivery. -* Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/ Windows Update for Business** - *Select when Preview Builds and Feature Updates are received* -* MDM: **Update/BranchReadinessLevel** +## Managing Windows Update for Business with MDM -## Changes to Windows Update for Business in Windows 10, version 1703 +Starting with Windows 10, version 1709, Windows Update for Business was changed to correctly reflect its association to Windows Update for Business and provide the ability to easily manage Windows Insider Preview builds in 1709. -### Options added to Settings +| Action | Windows 10 versions prior to 1709 | Windows 10 versions after 1709 | +| --- | --- | --- | +| Manage Windows Insider Preview builds | System/AllowBuildPreview | Update/ManagePreviewBuilds | +| Manage when updates are received | Select when Feature Updates are received | Select when Preview Builds and Feature Updates are received (Update/BranchReadinessLevel) | -We have added a few controls into settings to allow users to control Windows Update for Business through an interface. -- [Configuring the device's branch readiness level](waas-configure-wufb.md#configure-devices-for-current-branch-or-current-branch-for-business), through **Settings > Update & security > Windows Update > Advanced options** -- [Pausing feature updates](waas-configure-wufb.md#pause-feature-updates), through **Settings > Update & security > Window Update > Advanced options** +## Managing Windows Update for Business with Software Center Configuration Manager -### Adjusted time periods +Starting with Windows 10, version 1709, you can assign a collection of devices to have dual scan enabled and manage that collection with Windows Update for Business policies. Starting with Windows 10, version 1809, you can set a collection of devices to receive the Windows Insider Preview Feature Updates from Windows Update from within Software Center Configuration Manager. -We have adjusted the maximum pause period for both quality and feature updates to be 35 days, as opposed to 30 and 60 days previously, respectively. +| Action | Windows 10 versions between 1709 and 1809 | Windows 10 versions after 1809 | +| --- | --- | --- | +| Manage Windows Update for Business in Configuration Manager | Manage Feature or Quality Updates with Windows Update for Business via Dual Scan | Manage Insider pre-release builds with Windows Update for Business within Software Center Configuration Manager | -We have also adjusted the maximum feature update deferral period to be 365 days, as opposed to 180 days previously. +## Managing Windows Update for Business with Windows Settings options +Windows Settings includes options to control certain Windows Update for Business features: -### Additional changes +- [Configure the readiness level](waas-configure-wufb.md#configure-devices-for-the-appropriate-service-channel) for a branch by using **Settings > Update & security > Windows Update > Advanced options** +- [Pause feature updates](waas-configure-wufb.md#pause-feature-updates) by using Settings > Update & security > Window Update > Advanced options -The pause period is now calculated starting from the set start date. For additional details, see [Pause Feature Updates](waas-configure-wufb.md#pause-feature-updates) and [Pause Quality Updates](waas-configure-wufb.md#pause-quality-updates). Due to that, some policy keys are now named differently. For more information, see [Comparing the version 1607 keys to the version 1703 keys](waas-configure-wufb.md#comparing-the-version-1607-keys-to-the-version-1703-keys). +## Other changes in Windows Update for Business in Windows 10, version 1703 and later releases -## Comparing Windows Update for Business in Windows 10, version 1511 and version 1607 -Windows Update for Business was first made available in Windows 10, version 1511. In Windows 10, version 1607 (also known as the Anniversary Update), there are several new or changed capabilities provided as well as updated behavior. +### Pause and deferral periods ->[!NOTE] ->For more information on Current Branch (Semi-Annual Channel (Targeted)) and Current Branch for Business (Semi-Annual Channel), see [Windows 10 servicing options](waas-overview.md#servicing-channels). +The maximum pause time period is 35 days for both quality and feature updates. The maximum deferral period for feature updates is 365 days. - - - - - - - - - - - -
    CapabilityWindows 10, version 1511Windows 10, version 1607

    Select servicing options: CB or CBB

    Not available. To defer updates, all systems must be on the Current Branch for Business (CBB)

    Ability to set systems on the Current Branch (CB) or Current Branch for Business (CBB).

    Quality Updates

    Able to defer receiving Quality Updates:

    • Up to 4 weeks
    • In weekly increments

    Able to defer receiving Quality Updates:

    • Up to 30 days
    • In daily increments

    Feature Updates

    Able to defer receiving Feature Updates:

    • Up to 8 months
    • In monthly increments

    Able to defer receiving Feature Updates:

    • Up to 180 days
    • In daily increments

    Pause updates

    • Feature Updates and Quality Updates paused together
    • Maximum of 35 days

    Features and Quality Updates can be paused separately.

    • Feature Updates: maximum 60 days
    • Quality Updates: maximum 35 days

    Drivers

    No driver-specific controls

    Drivers can be selectively excluded from Windows Update for Business.

    +Also, the pause period is calculated from the set start date. For more details, see [Pause Feature Updates](waas-configure-wufb.md#pause-feature-updates) and [Pause Quality Updates](waas-configure-wufb.md#pause-quality-updates). As a result, certain policy keys have different names; see the "Comparing keys in Windows 10, version 1607 to Windows 10, version 1703" section in [Configure Windows Update for Business](waas-configure-wufb.md) for details. -## Monitor Windows Updates using Update Compliance + + +## Monitor Windows Updates by using Update Compliance Update Compliance, now **available in public preview**, provides a holistic view of OS update compliance, update deployment progress, and failure troubleshooting for Windows 10 devices. This new service uses diagnostic data including installation progress, Windows Update configuration, and other information to provide such insights, at no extra cost and without additional infrastructure requirements. Whether used with Windows Update for Business or other management tools, you can be assured that your devices are properly updated. diff --git a/windows/deployment/update/waas-optimize-windows-10-updates.md b/windows/deployment/update/waas-optimize-windows-10-updates.md index 8446553143..70cba0bcec 100644 --- a/windows/deployment/update/waas-optimize-windows-10-updates.md +++ b/windows/deployment/update/waas-optimize-windows-10-updates.md @@ -54,7 +54,7 @@ Windows 10 quality update downloads can be large because every package contains >Express update delivery applies to quality update downloads. Starting with Windows 10, version 1709, Express update delivery also applies to feature update downloads for clients connected to Windows Update and Windows Update for Business. ### How Microsoft supports Express -- **Express on System Center Configuration Manager** starting with version 1702 of Configuration Manager and Windows 10, version 1703 or 1607 with the April 2017 cumulative update. +- **Express on System Center Configuration Manager** starting with version 1702 of Configuration Manager and Windows 10, version 1703 or later, or Windows 10, version 1607 with the April 2017 cumulative update. - **Express on WSUS Standalone** Express update delivery is available on [all support versions of WSUS](https://technet.microsoft.com/library/cc708456(v=ws.10).aspx). diff --git a/windows/deployment/update/waas-servicing-differences.md b/windows/deployment/update/waas-servicing-differences.md index 91ff222523..cb55ad0bc9 100644 --- a/windows/deployment/update/waas-servicing-differences.md +++ b/windows/deployment/update/waas-servicing-differences.md @@ -51,7 +51,7 @@ This cumulative update model for Windows 10 has helped provide the Windows ecosy - Windows 7 and other legacy operating systems have cumulative updates that operate differently than in Windows 10 (see next section). ## Windows 7 and legacy OS versions -While Windows 10 updates could have been controlled as cumulative from "Day 1," the legacy OS ecosystem for both client and server was highly fragmented. Recognizing the challenges of update quality in aa fragmented environment, we moved Windows 7 to a cumulative update model in October 2016. +While Windows 10 updates could have been controlled as cumulative from "Day 1," the legacy OS ecosystem for both client and server was highly fragmented. Recognizing the challenges of update quality in a fragmented environment, we moved Windows 7 to a cumulative update model in October 2016. Customers saw the LCU model used for Windows 10 as having packages that were too large and represented too much of a change for legacy operating systems, so a different model was implemented. Windows instead offered two cumulative package types for all legacy operating systems: Monthly Rollups and Security-only updates. @@ -103,4 +103,4 @@ In closing, I hope this overview of the update model across current and legacy W - [Simplified servicing for Windows 7 and Windows 8.1: the latest improvements](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/Simplified-servicing-for-Windows-7-and-Windows-8-1-the-latest/ba-p/166798) - [Windows Server 2008 SP2 servicing changes](https://cloudblogs.microsoft.com/windowsserver/2018/06/12/windows-server-2008-sp2-servicing-changes/) - [Windows 10 update servicing cadence](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-update-servicing-cadence/ba-p/222376) -- [Windows 7 servicing stack updates: managing change and appreciating cumulative updates](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-7-servicing-stack-updates-managing-change-and/ba-p/260434) \ No newline at end of file +- [Windows 7 servicing stack updates: managing change and appreciating cumulative updates](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-7-servicing-stack-updates-managing-change-and/ba-p/260434) diff --git a/windows/deployment/update/waas-wufb-group-policy.md b/windows/deployment/update/waas-wufb-group-policy.md index 643e549073..49a13d74fc 100644 --- a/windows/deployment/update/waas-wufb-group-policy.md +++ b/windows/deployment/update/waas-wufb-group-policy.md @@ -28,9 +28,16 @@ Using Group Policy to manage Windows Update for Business is simple and familiar: In Windows 10 version 1511, only Current Branch for Business (CBB) upgrades could be delayed, restricting the Current Branch (CB) builds to a single deployment ring. Windows 10 version 1607, however, has a new Group Policy setting that allows you to delay feature updates for both CB and CBB, broadening the use of the CB servicing branch. ->[!NOTE] +>[!NOTES] >The terms *feature updates* and *quality updates* in Windows 10, version 1607, correspond to the terms *upgrades* and *updates* in version 1511. +>To follow the instructions in this article, you will need to download and install the relevant ADMX templates for your Windows 10 version. +>See the following articles for instructions on the ADMX templates in your environment. + +> - [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759) +> - [Step-By-Step: Managing Windows 10 with Administrative templates](https://blogs.technet.microsoft.com/canitpro/2015/10/20/step-by-step-managing-windows-10-with-administrative-templates/) + + To use Group Policy to manage quality and feature updates in your environment, you must first create Active Directory security groups that align with your constructed deployment rings. Most customers have many deployment rings already in place in their environment, and these rings likely align with existing phased rollouts of current patches and operating system upgrades. ## Configure Windows Update for Business in Windows 10 version 1511 diff --git a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md index c62c65555b..ebb0b5998f 100644 --- a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md +++ b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md @@ -52,7 +52,7 @@ To enable KMS functionality, a KMS key is installed on a KMS host; then, the hos For more information, see the information for Windows 7 in [Deploy KMS Activation](https://go.microsoft.com/fwlink/p/?LinkId=717032). ## Key Management Service in Windows Server 2012 R2 -Installing a KMS host key on a computer running Windows Server allows you to activate computers running Windows Server 2012 R2, Windows Sever 2008 R2, Windows Server 2008, Windows 10, Windows 8.1, Windows 7, and Windows Vista. +Installing a KMS host key on a computer running Windows Server allows you to activate computers running Windows Server 2012 R2, Windows Server 2008 R2, Windows Server 2008, Windows 10, Windows 8.1, Windows 7, and Windows Vista. **Note**   You cannot install a client KMS key into the KMS in Windows Server. diff --git a/windows/deployment/windows-autopilot/intune-connector.md b/windows/deployment/windows-autopilot/intune-connector.md index cc2d85e737..50ee521951 100644 --- a/windows/deployment/windows-autopilot/intune-connector.md +++ b/windows/deployment/windows-autopilot/intune-connector.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: deploy author: greg-lindsay ms.author: greg-lindsay -ms.date: 11/13/2018 +ms.date: 11/26/2018 --- @@ -23,44 +23,30 @@ In this preview version of the Intune Connector, you might receive an error mess **0x80070658 - Error applying transforms. Verify that the specified transform paths are valid.** -See the following example: - -![Connector error](images/connector-fail.png) +An [example](#example) of the error message is displayed at the bottom of this topic. This error can be resolved by ensuring that the member server where Intune Connector is running has one of the following language packs installed and configured to be the default keyboard layout: -en-US
    -cs-CZ
    -da-DK
    -de-DE
    -el-GR
    -es-ES
    -fi-FI
    -fr-FR
    -hu-HU
    -it-IT
    -ja-JP
    -ko-KR
    -nb-NO
    -nl-NL
    -pl-PL
    -pt-BR
    -ro-RO
    -ru-RU
    -sv-SE
    -tr-TR
    -zh-CN
    -zh-TW +| | | | | | | | | | | | +| --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | +| en-US | cs-CZ | da-DK | de-DE | el-GR | es-ES | fi-FI | fr-FR | hu-HU | it-IT | ja-JP | +| ko-KR | nb-NO | nl-NL | pl-PL | pt-BR | ro-RO | ru-RU | sv-SE | tr-TR | zh-CN | zh-TW | -This solution is a workaround and will be fully resolved in a future release of the Intune Connector. +>[!NOTE] +>After installing the Intune Connector, you can restore the keyboard layout to its previous settings.
    +>This solution is a workaround and will be fully resolved in a future release of the Intune Connector. To change the default keyboard layout: 1. Click **Settings > Time & language > Region and language** 2. Select one of the languages listed above and choose **Set as default**. -Note: If the language you need isn't listed, you can add additional languages by selecting **Add a language**. - - +If the language you need isn't listed, you can add additional languages by selecting **Add a language**. + +## Example + +The following is an example of the error message that can be displayed if one of the listed languages is not used during setup: + +![Connector error](images/connector-fail.png) diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements-licensing.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements-licensing.md index 2b9a7d76f8..e7df24a12c 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-requirements-licensing.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements-licensing.md @@ -26,12 +26,13 @@ Windows Autopilot depends on specific capabilities available in Windows 10 and A - Enterprise - Education - One of the following, to provide needed Azure Active Directory (automatic MDM enrollment and company branding features) and MDM functionality: - - Microsoft 365 Business subscriptions - - Microsoft 365 F1 subscriptions - - Microsoft 365 Enterprise E3 or E5 subscriptions, which include all Windows 10, Office 365, and EM+S features (Azure AD and Intune) - - Enterprise Mobility + Security E3 or E5 subscriptions, which include all needed Azure AD and Intune features - - Azure Active Directory Premium P1 or P2 and Intune subscriptions (or an alternative MDM service) + - [Microsoft 365 Business subscriptions](https://www.microsoft.com/en-us/microsoft-365/business) + - [Microsoft 365 F1 subscriptions](https://www.microsoft.com/en-us/microsoft-365/enterprise/firstline) + - [Microsoft 365 Academic A1, A3, or A5 subscriptions](https://www.microsoft.com/en-us/education/buy-license/microsoft365/default.aspx) + - [Microsoft 365 Enterprise E3 or E5 subscriptions](https://www.microsoft.com/en-us/microsoft-365/enterprise), which include all Windows 10, Office 365, and EM+S features (Azure AD and Intune) + - [Enterprise Mobility + Security E3 or E5 subscriptions](https://www.microsoft.com/en-us/cloud-platform/enterprise-mobility-security), which include all needed Azure AD and Intune features + - [Azure Active Directory Premium P1 or P2](https://azure.microsoft.com/en-us/services/active-directory/) and [Microsoft Intune subscriptions](https://www.microsoft.com/en-us/cloud-platform/microsoft-intune) (or an alternative MDM service) Additionally, the following are also recommended but not required: -- Office 365 ProPlus, which can be deployed easily via Intune (or other MDM services) +- [Office 365 ProPlus](https://www.microsoft.com/en-us/p/office-365-proplus/CFQ7TTC0K8R0), which can be deployed easily via Intune (or other MDM services) - [Windows Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation), to automatically step up devices from Windows 10 Pro to Windows 10 Enterprise diff --git a/windows/hub/index.md b/windows/hub/index.md index 16c86b4a0f..dac41359d2 100644 --- a/windows/hub/index.md +++ b/windows/hub/index.md @@ -71,7 +71,7 @@ The Windows 10 operating system introduces a new way to build, deploy, and servi These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time. - [Read more about Windows as a Service](/windows/deployment/update/waas-overview) -- [Read how much space does Windows 10 take](https://www.microsoft.com/en-us/windows/windows-10-specifications) + ## Related topics [Windows 10 TechCenter](https://go.microsoft.com/fwlink/?LinkId=620009) diff --git a/windows/privacy/TOC.md b/windows/privacy/TOC.md index 6148d1201c..5a0db3b73e 100644 --- a/windows/privacy/TOC.md +++ b/windows/privacy/TOC.md @@ -14,7 +14,10 @@ ## Full level categories ### [Windows 10, version 1709 and newer diagnostic data for the Full level](windows-diagnostic-data.md) ### [Windows 10, version 1703 diagnostic data for the Full level](windows-diagnostic-data-1703.md) -## [Manage Windows 10 connection endpoints](manage-windows-endpoints.md) +## Manage Windows 10 connection endpoints +### [Connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md) +### [Connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md) +### [Connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md) ### [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md) ### [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md) ## [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) diff --git a/windows/privacy/gdpr-it-guidance.md b/windows/privacy/gdpr-it-guidance.md index d7673c5f3d..273464ae5a 100644 --- a/windows/privacy/gdpr-it-guidance.md +++ b/windows/privacy/gdpr-it-guidance.md @@ -237,6 +237,11 @@ The lowest diagnostic data setting level supported on Windows Server 2016 and Wi IT administrators can configure the Windows Server diagnostic data settings using familiar management tools, such as Group Policy, MDM, or Windows Provisioning. IT administrators can also manually change settings using Registry Editor. Setting the Windows Server diagnostic data levels through a management policy overrides any device-level settings. +There are two options for deleting Windows diagnostic data from a Windows Server machine: + +- If the “Desktop Experience” option was chosen during the installation of Windows Server 2019, then there are the same options available for an IT administrator that end users have with Windows 10, version 1803 and version 1809, to submit a request for deleting that device’s diagnostic data. This is done by clicking the **Delete** button in the **Delete diagnostic data** section of **Start > Settings > Privacy > Diagnostics & feedback**. +- Microsoft has provided a [PowerShell cmdlet](https://docs.microsoft.com/powershell/module/windowsdiagnosticdata) that IT administrators can use to delete Windows diagnostic data via the command line on a machine running Windows Server 2016 or Windows Server 2019. This cmdlet provides the same functionality for deleting Windows diagnostic data as with Desktop Experience on Windows Server 2019. For more information, see [the PowerShell Gallery](https://www.powershellgallery.com/packages/WindowsDiagnosticData). + ### Backups and Windows Server Backups, including live backups and backups that are stored locally within an organization or in the cloud, can contain personal data. diff --git a/windows/privacy/license-terms-windows-diagnostic-data-for-powershell.md b/windows/privacy/license-terms-windows-diagnostic-data-for-powershell.md new file mode 100644 index 0000000000..ee8ecf4a8b --- /dev/null +++ b/windows/privacy/license-terms-windows-diagnostic-data-for-powershell.md @@ -0,0 +1,92 @@ +--- +title: MICROSOFT WINDOWS DIAGNOSTIC DATA FOR POWERSHELL +description: MICROSOFT SOFTWARE LICENSE TERMS +keywords: privacy, license, terms +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: high +author: danihalfin +ms.author: daniha +ms.date: 11/16/2018 +robots: noindex,nofollow +--- + +MICROSOFT SOFTWARE LICENSE TERMS + +MICROSOFT WINDOWS DIAGNOSTIC DATA FOR POWERSHELL + + + +These license terms are an agreement between you and Microsoft Corporation (or one of its affiliates). They apply to the software named above and any Microsoft services or software updates (except to the extent such services or updates are accompanied by new or additional terms, in which case those different terms apply prospectively and do not alter your or Microsoft’s rights relating to pre-updated software or services). IF YOU COMPLY WITH THESE LICENSE TERMS, YOU HAVE THE RIGHTS BELOW. BY USING THE SOFTWARE, YOU ACCEPT THESE TERMS. + +1. INSTALLATION AND USE RIGHTS. + +a) General. You may install and use any number of copies of the software. + +b) Third Party Software. The software may include third party applications that Microsoft, not the third party, licenses to you under this agreement. Any included notices for third party applications are for your information only. + +2. DATA COLLECTION. The software may collect information about you and your use of the software and send that to Microsoft. Microsoft may use this information to provide services and improve Microsoft’s products and services. Your opt-out rights, if any, are described in the product documentation. Some features in the software may enable collection of data from users of your applications that access or use the software. If you use these features to enable data collection in your applications, you must comply with applicable law, including getting any required user consent, and maintain a prominent privacy policy that accurately informs users about how you use, collect, and share their data. You can learn more about Microsoft’s data collection and use in the product documentation and the Microsoft Privacy Statement at https://go.microsoft.com/fwlink/?LinkId=512132. You agree to comply with all applicable provisions of the Microsoft Privacy Statement. + +3. SCOPE OF LICENSE. The software is licensed, not sold. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation, you will not (and have no right to): + +a) work around any technical limitations in the software that only allow you to use it in certain ways; + +b) reverse engineer, decompile or disassemble the software; + +c) remove, minimize, block, or modify any notices of Microsoft or its suppliers in the software; + +d) use the software in any way that is against the law or to create or propagate malware; or + +e) share, publish, distribute, or lend the software, provide the software as a stand-alone hosted solution for others to use, or transfer the software or this agreement to any third party. + +4. EXPORT RESTRICTIONS. You must comply with all domestic and international export laws and regulations that apply to the software, which include restrictions on destinations, end users, and end use. For further information on export restrictions, visit http://aka.ms/exporting. + +5. SUPPORT SERVICES. Microsoft is not obligated under this agreement to provide any support services for the software. Any support provided is “as is”, “with all faults”, and without warranty of any kind. + +6. ENTIRE AGREEMENT. This agreement, and any other terms Microsoft may provide for supplements, updates, or third-party applications, is the entire agreement for the software. + +7. APPLICABLE LAW AND PLACE TO RESOLVE DISPUTES. If you acquired the software in the United States or Canada, the laws of the state or province where you live (or, if a business, where your principal place of business is located) govern the interpretation of this agreement, claims for its breach, and all other claims (including consumer protection, unfair competition, and tort claims), regardless of conflict of laws principles. If you acquired the software in any other country, its laws apply. If U.S. federal jurisdiction exists, you and Microsoft consent to exclusive jurisdiction and venue in the federal court in King County, Washington for all disputes heard in court. If not, you and Microsoft consent to exclusive jurisdiction and venue in the Superior Court of King County, Washington for all disputes heard in court. + +8. CONSUMER RIGHTS; REGIONAL VARIATIONS. This agreement describes certain legal rights. You may have other rights, including consumer rights, under the laws of your state, province, or country. Separate and apart from your relationship with Microsoft, you may also have rights with respect to the party from which you acquired the software. This agreement does not change those other rights if the laws of your state, province, or country do not permit it to do so. For example, if you acquired the software in one of the below regions, or mandatory country law applies, then the following provisions apply to you: + +a) Australia. You have statutory guarantees under the Australian Consumer Law and nothing in this agreement is intended to affect those rights. + +b) Canada. If you acquired this software in Canada, you may stop receiving updates by turning off the automatic update feature, disconnecting your device from the Internet (if and when you re-connect to the Internet, however, the software will resume checking for and installing updates), or uninstalling the software. The product documentation, if any, may also specify how to turn off updates for your specific device or software. + +c) Germany and Austria. + +i. Warranty. The properly licensed software will perform substantially as described in any Microsoft materials that accompany the software. However, Microsoft gives no contractual guarantee in relation to the licensed software. + +ii. Limitation of Liability. In case of intentional conduct, gross negligence, claims based on the Product Liability Act, as well as, in case of death or personal or physical injury, Microsoft is liable according to the statutory law. + +Subject to the foregoing clause ii., Microsoft will only be liable for slight negligence if Microsoft is in breach of such material contractual obligations, the fulfillment of which facilitate the due performance of this agreement, the breach of which would endanger the purpose of this agreement and the compliance with which a party may constantly trust in (so-called "cardinal obligations"). In other cases of slight negligence, Microsoft will not be liable for slight negligence. + +9. DISCLAIMER OF WARRANTY. THE SOFTWARE IS LICENSED “AS IS.” YOU BEAR THE RISK OF USING IT. MICROSOFT GIVES NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS. TO THE EXTENT PERMITTED UNDER APPLICABLE LAWS, MICROSOFT EXCLUDES ALL IMPLIED WARRANTIES, INCLUDING MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. + +10. LIMITATION ON AND EXCLUSION OF DAMAGES. IF YOU HAVE ANY BASIS FOR RECOVERING DAMAGES DESPITE THE PRECEDING DISCLAIMER OF WARRANTY, YOU CAN RECOVER FROM MICROSOFT AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO U.S. $5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES. + +This limitation applies to (a) anything related to the software, services, content (including code) on third party Internet sites, or third party applications; and (b) claims for breach of contract, warranty, guarantee, or condition; strict liability, negligence, or other tort; or any other claim; in each case to the extent permitted by applicable law. + +It also applies even if Microsoft knew or should have known about the possibility of the damages. The above limitation or exclusion may not apply to you because your state, province, or country may not allow the exclusion or limitation of incidental, consequential, or other damages. + + + +Please note: As this software is distributed in Canada, some of the clauses in this agreement are provided below in French. + +Remarque: Ce logiciel étant distribué au Canada, certaines des clauses dans ce contrat sont fournies ci-dessous en français. + +EXONÉRATION DE GARANTIE. Le logiciel visé par une licence est offert « tel quel ». Toute utilisation de ce logiciel est à votre seule risque et péril. Microsoft n’accorde aucune autre garantie expresse. Vous pouvez bénéficier de droits additionnels en vertu du droit local sur la protection des consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties implicites de qualité marchande, d’adéquation à un usage particulier et d’absence de contrefaçon sont exclues. + +LIMITATION DES DOMMAGES-INTÉRÊTS ET EXCLUSION DE RESPONSABILITÉ POUR LES DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages directs uniquement à hauteur de 5,00 $ US. Vous ne pouvez prétendre à aucune indemnisation pour les autres dommages, y compris les dommages spéciaux, indirects ou accessoires et pertes de bénéfices. + +Cette limitation concerne: + +• tout ce qui est relié au logiciel, aux services ou au contenu (y compris le code) figurant sur des sites Internet tiers ou dans des programmes tiers; et + +• les réclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilité stricte, de négligence ou d’une autre faute dans la limite autorisée par la loi en vigueur. + +Elle s’applique également, même si Microsoft connaissait ou devrait connaître l’éventualité d’un tel dommage. Si votre pays n’autorise pas l’exclusion ou la limitation de responsabilité pour les dommages indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou l’exclusion ci-dessus ne s’appliquera pas à votre égard. + +EFFET JURIDIQUE. Le présent contrat décrit certains droits juridiques. Vous pourriez avoir d’autres droits prévus par les lois de votre pays. Le présent contrat ne modifie pas les droits que vous confèrent les lois de votre pays si celles-ci ne le permettent pas. \ No newline at end of file diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 3ac0a072a3..757bf80259 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -16,9 +16,9 @@ ms.date: 06/05/2018 **Applies to** -- Windows 10 Enterprise, version 1607 and newer -- Windows Server 2016 -- Windows Server 2019 +- Windows 10 Enterprise, version 1607 and newer +- Windows Server 2016 +- Windows Server 2019 If you're looking for content on what each diagnostic data level means and how to configure it in your organization, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). @@ -81,17 +81,17 @@ Here's a list of changes that were made to this article for Windows 10, version - Added the following Group Policies: - - Prevent managing SmartScreen Filter - - Turn off Compatibility View - - Turn off Automatic Download and Install of updates - - Do not connect to any Windows Update locations - - Turn off access to all Windows Update features - - Specify Intranet Microsoft update service location - - Enable Windows NTP client - - Turn off Automatic download of the ActiveX VersionList - - Allow Automatic Update of Speech Data - - Accounts: Block Microsoft Accounts - - Do not use diagnostic data for tailored experiences + - Prevent managing SmartScreen Filter + - Turn off Compatibility View + - Turn off Automatic Download and Install of updates + - Do not connect to any Windows Update locations + - Turn off access to all Windows Update features + - Specify Intranet Microsoft update service location + - Enable Windows NTP client + - Turn off Automatic download of the ActiveX VersionList + - Allow Automatic Update of Speech Data + - Accounts: Block Microsoft Accounts + - Do not use diagnostic data for tailored experiences ## Management options for each setting @@ -284,18 +284,18 @@ For Windows 10, Windows Server 2016 with Desktop Experience, and Windows Server - Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off Automatic Root Certificates Update** - -and- + -and- 1. Navigate to **Computer Configuration** > **Windows Settings** > **Security Settings** > **Public Key Policies**. 2. Double-click **Certificate Path Validation Settings**. 3. On the **Network Retrieval** tab, select the **Define these policy settings** check box. 4. Clear the **Automatically update certificates in the Microsoft Root Certificate Program (recommended)** check box, and then click **OK**. - -or- + -or- - Create the registry path **HKEY\_LOCAL\_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot** and then add a REG\_DWORD registry setting, named **DisableRootAutoUpdate**, with a value of 1. - -and- + -and- 1. Navigate to **Computer Configuration** > **Windows Settings** > **Security Settings** > **Public Key Policies**. 2. Double-click **Certificate Path Validation Settings**. @@ -359,11 +359,11 @@ In Windows 10, version 1507 and Windows 10, version 1511, when you enable the ** 9. Configure the **Protocols and Ports** page with the following info, and then click **OK**. - - For **Protocol type**, choose **TCP**. + - For **Protocol type**, choose **TCP**. - - For **Local port**, choose **All Ports**. + - For **Local port**, choose **All Ports**. - - For **Remote port**, choose **All ports**. + - For **Remote port**, choose **All ports**. If your organization tests network traffic, do not use a network proxy as Windows Firewall does not block proxy traffic. Instead, use a network traffic analyzer. Based on your needs, there are many network traffic analyzers available at no cost. @@ -381,20 +381,20 @@ For Windows 10 only, the following Cortana MDM policies are available in the [Po You can prevent Windows from setting the time automatically. -- To turn off the feature in the UI: **Settings** > **Time & language** > **Date & time** > **Set time automatically** +- To turn off the feature in the UI: **Settings** > **Time & language** > **Date & time** > **Set time automatically** - -or- + -or- -- Create a REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\Parameters\\Type** with a value of **NoSync**. +- Create a REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\Parameters\\Type** with a value of **NoSync**. After that, configure the following: -- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Enable Windows NTP Server** > **Windows Time Service** > **Configure Windows NTP Client** +- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Enable Windows NTP Server** > **Windows Time Service** > **Configure Windows NTP Client** > [!NOTE] > This is only available on Windows 10, version 1703 and later. If you're using Windows 10, version 1607, the Group Policy setting is **Computer Configuration** > **Administrative Templates** > **System** > **Windows Time Service** > **Time Providers** > **Enable Windows NTP Client** - -or - + -or - - Create a new REG\_DWORD registry setting named **Enabled** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\W32time\\TimeProviders\\NtpClient** and set it to 0 (zero). @@ -405,11 +405,11 @@ To prevent Windows from retrieving device metadata from the Internet: - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Device Installation** > **Prevent device metadata retrieval from the Internet**. - -or - + -or - - Create a new REG\_DWORD registry setting named **PreventDeviceMetadataFromNetwork** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Device Metadata** and set it to 1 (one). - -or - + -or - - Apply the DeviceInstallation/PreventDeviceMetadataFromNetwork MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventdevicemetadatafromnetwork). @@ -417,11 +417,11 @@ To prevent Windows from retrieving device metadata from the Internet: To turn off Find My Device: -- Turn off the feature in the UI +- Turn off the feature in the UI - -or- + -or- -- Disable the Group Policy: **Computer Configuration** > **Administrative Template** > **Windows Components** > **Find My Device** > **Turn On/Off Find My Device** +- Disable the Group Policy: **Computer Configuration** > **Administrative Template** > **Windows Components** > **Find My Device** > **Turn On/Off Find My Device** You can also create a new REG\_DWORD registry setting **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FindMyDevice\\AllowFindMyDevice** to 0 (zero). @@ -437,9 +437,9 @@ If you're running Windows 10, version 1607, Windows Server 2016, or later: - In Windows 10, version 1703, you can apply the System/AllowFontProviders MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where: - - **false**. Font streaming is disabled. + - **false**. Font streaming is disabled. - - **true**. Font streaming is enabled. + - **true**. Font streaming is enabled. If you're running Windows 10, version 1507 or Windows 10, version 1511, create a REG\_DWORD registry setting named **DisableFontProviders** in **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\FontCache\\Parameters** with a value of 1. @@ -466,35 +466,35 @@ To turn off Insider Preview builds for Windows 10: > [!NOTE] > If you're running a preview version of Windows 10, you must roll back to a released version before you can turn off Insider Preview builds. -- Turn off the feature in the UI: **Settings** > **Update & security** > **Windows Insider Program** > **Stop Insider Preview builds**. +- Turn off the feature in the UI: **Settings** > **Update & security** > **Windows Insider Program** > **Stop Insider Preview builds**. - -or- + -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Toggle user control over Insider builds**. +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Toggle user control over Insider builds**. - -or - + -or - - Create a new REG\_DWORD registry setting named **AllowBuildPreview** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\PreviewBuilds** with a vlue of 0 (zero) - -or- + -or- -- Apply the System/AllowBuildPreview MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where: +- Apply the System/AllowBuildPreview MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where: - - **0**. Users cannot make their devices available for downloading and installing preview software. + - **0**. Users cannot make their devices available for downloading and installing preview software. - - **1**. Users can make their devices available for downloading and installing preview software. + - **1**. Users can make their devices available for downloading and installing preview software. - - **2**. (default) Not configured. Users can make their devices available for download and installing preview software. + - **2**. (default) Not configured. Users can make their devices available for download and installing preview software. - -or- + -or- -- Create a provisioning package: **Runtime settings** > **Policies** > **System** > **AllowBuildPreview**, where: +- Create a provisioning package: **Runtime settings** > **Policies** > **System** > **AllowBuildPreview**, where: - - **0**. Users cannot make their devices available for downloading and installing preview software. + - **0**. Users cannot make their devices available for downloading and installing preview software. - - **1**. Users can make their devices available for downloading and installing preview software. + - **1**. Users can make their devices available for downloading and installing preview software. - - **2**. (default) Not configured. Users can make their devices available for download and installing preview software. + - **2**. (default) Not configured. Users can make their devices available for download and installing preview software. ### 8. Internet Explorer @@ -548,7 +548,7 @@ You can turn this off by: - Apply the Group Policy: **User Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Security Features** > **Add-on Management** > **Turn off Automatic download of the ActiveX VersionList** - -or - + -or - - Changing the REG\_DWORD registry setting **HKEY\_CURRENT\_USER\\Software\\Microsoft\\Internet Explorer\\VersionManager\\DownloadVersionList** to 0 (zero). @@ -558,11 +558,11 @@ For more info, see [Out-of-date ActiveX control blocking](https://technet.micros To turn off Live Tiles: -- Apply the Group Policy: **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Notifications** > **Turn Off notifications network usage** +- Apply the Group Policy: **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Notifications** > **Turn Off notifications network usage** - -or- + -or- -- Create a REG\_DWORD registry setting named **NoCloudApplicationNotification** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\PushNotifications** with a value of 1 (one). +- Create a REG\_DWORD registry setting named **NoCloudApplicationNotification** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\PushNotifications** with a value of 1 (one). In Windows 10 Mobile, you must also unpin all tiles that are pinned to Start. @@ -570,31 +570,31 @@ In Windows 10 Mobile, you must also unpin all tiles that are pinned to Start. To turn off mail synchronization for Microsoft Accounts that are configured on a device: -- In **Settings** > **Accounts** > **Your email and accounts**, remove any connected Microsoft Accounts. +- In **Settings** > **Accounts** > **Your email and accounts**, remove any connected Microsoft Accounts. - -or- + -or- -- Remove any Microsoft Accounts from the Mail app. +- Remove any Microsoft Accounts from the Mail app. - -or- + -or- -- Apply the Accounts/AllowMicrosoftAccountConnection MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is not allowed and 1 is allowed. This does not apply to Microsoft Accounts that have already been configured on the device. +- Apply the Accounts/AllowMicrosoftAccountConnection MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is not allowed and 1 is allowed. This does not apply to Microsoft Accounts that have already been configured on the device. To turn off the Windows Mail app: -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Mail** > **Turn off Windows Mail application** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Mail** > **Turn off Windows Mail application** - -or- + -or- -- Create a REG\_DWORD registry setting named **ManualLaunchAllowed** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Mail** with a value of 0 (zero). +- Create a REG\_DWORD registry setting named **ManualLaunchAllowed** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Mail** with a value of 0 (zero). ### 11. Microsoft Account To prevent communication to the Microsoft Account cloud authentication service. Many apps and system components that depend on Microsoft Account authentication may lose functionality. Some of them could be in unexpected ways. -- Apply the Group Policy: **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** > **Security Options** > **Accounts: Block Microsoft Accounts** and set it to **Users can't add Microsoft accounts**. +- Apply the Group Policy: **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** > **Security Options** > **Accounts: Block Microsoft Accounts** and set it to **Users can't add Microsoft accounts**. - -or- + -or- - Create a REG\_DWORD registry setting named **NoConnectedUser** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System** with a value of 3. To disable the Microsoft Account Sign-In Assistant: @@ -620,7 +620,7 @@ Find the Microsoft Edge Group Policy objects under **Computer Configuration** &g | Configure Do Not Track | Choose whether employees can send Do Not Track headers.
    Default: Disabled | | Configure Password Manager | Choose whether employees can save passwords locally on their devices.
    Default: Enabled | | Configure search suggestions in Address Bar | Choose whether the Address Bar shows search suggestions.
    Default: Enabled | -| Configure Windows Defender SmartScreen Filter (Windows 10, version 1703)
    Configure SmartScreen Filter (Windows Server 2016) | Choose whether Windows Defender SmartScreen is turned on or off.
    Default: Enabled | +| Configure Windows Defender SmartScreen (Windows 10, version 1703) | Choose whether Windows Defender SmartScreen is turned on or off.
    Default: Enabled | | Allow web content on New Tab page | Choose whether a new tab page appears.
    Default: Enabled | | Configure Start pages | Choose the Start page for domain-joined devices.
    Set this to **\** | | Prevent the First Run webpage from opening on Microsoft Edge | Choose whether employees see the First Run webpage.
    Default: Disabled | @@ -679,7 +679,7 @@ In versions of Windows 10 prior to Windows 10, version 1607 and Windows Server 2 You can turn off NCSI by doing one of the following: -- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off Windows Network Connectivity Status Indicator active tests** +- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off Windows Network Connectivity Status Indicator active tests** - In Windows 10, version 1703 and later, apply the Connectivity/DisallowNetworkConnectivityActiveTests MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-connectivity#connectivity-disallownetworkconnectivityactivetests) with a value of 1. @@ -688,39 +688,39 @@ You can turn off NCSI by doing one of the following: -or- -- Create a REG\_DWORD registry setting named **NoActiveProbe** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\NetworkConnectivityStatusIndicator** with a value of 1 (one). +- Create a REG\_DWORD registry setting named **NoActiveProbe** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\NetworkConnectivityStatusIndicator** with a value of 1 (one). ### 14. Offline maps You can turn off the ability to download and update offline maps. -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Maps** > **Turn off Automatic Download and Update of Map Data** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Maps** > **Turn off Automatic Download and Update of Map Data** - -or- + -or- -- Create a REG\_DWORD registry setting named **AutoDownloadAndUpdateMapData** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Maps** with a value of 0 (zero). +- Create a REG\_DWORD registry setting named **AutoDownloadAndUpdateMapData** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Maps** with a value of 0 (zero). - -and- + -and- - In Windows 10, version 1607 and later, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Maps** > **Turn off unsolicited network traffic on the Offline Maps settings page** - -or- + -or- -- Create a REG\_DWORD registry setting named **AllowUntriggeredNetworkTrafficOnSettingsPage** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Maps** with a value of 0 (zero). +- Create a REG\_DWORD registry setting named **AllowUntriggeredNetworkTrafficOnSettingsPage** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Maps** with a value of 0 (zero). ### 15. OneDrive To turn off OneDrive in your organization: -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **OneDrive** > **Prevent the usage of OneDrive for file storage** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **OneDrive** > **Prevent the usage of OneDrive for file storage** - -or- + -or- -- Create a REG\_DWORD registry setting named **DisableFileSyncNGSC** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\OneDrive** with a value of 1 (one). +- Create a REG\_DWORD registry setting named **DisableFileSyncNGSC** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\OneDrive** with a value of 1 (one). - -and- + -and- -- Create a REG\_DWORD registry setting named **PreventNetworkTrafficPreUserSignIn** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\OneDrive** with a value of 1 (one). +- Create a REG\_DWORD registry setting named **PreventNetworkTrafficPreUserSignIn** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\OneDrive** with a value of 1 (one). ### 16. Preinstalled apps @@ -728,117 +728,117 @@ Some preinstalled apps get content before they are opened to ensure a great expe To remove the News app: -- Right-click the app in Start, and then click **Uninstall**. +- Right-click the app in Start, and then click **Uninstall**. - -or- + -or- -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingNews"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingNews"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - -and- + -and- Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingNews | Remove-AppxPackage** To remove the Weather app: -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingWeather"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingWeather"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - -and- + -and- Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingWeather | Remove-AppxPackage** To remove the Money app: -- Right-click the app in Start, and then click **Uninstall**. +- Right-click the app in Start, and then click **Uninstall**. - -or- + -or- -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingFinance"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingFinance"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - -and- + -and- Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingFinance | Remove-AppxPackage** To remove the Sports app: -- Right-click the app in Start, and then click **Uninstall**. +- Right-click the app in Start, and then click **Uninstall**. - -or- + -or- -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingSports"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingSports"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - -and- + -and- Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingSports | Remove-AppxPackage** To remove the Twitter app: -- Right-click the app in Start, and then click **Uninstall**. +- Right-click the app in Start, and then click **Uninstall**. - -or- + -or- -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "\*.Twitter"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "\*.Twitter"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - -and- + -and- Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage \*.Twitter | Remove-AppxPackage** To remove the XBOX app: -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.XboxApp"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.XboxApp"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - -and- + -and- Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.XboxApp | Remove-AppxPackage** To remove the Sway app: -- Right-click the app in Start, and then click **Uninstall**. +- Right-click the app in Start, and then click **Uninstall**. - -or- + -or- -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.Office.Sway"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.Office.Sway"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - -and- + -and- Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.Office.Sway | Remove-AppxPackage** To remove the OneNote app: -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.Office.OneNote"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.Office.OneNote"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - -and- + -and- Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.Office.OneNote | Remove-AppxPackage** To remove the Get Office app: -- Right-click the app in Start, and then click **Uninstall**. +- Right-click the app in Start, and then click **Uninstall**. - -or- + -or- -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.MicrosoftOfficeHub"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.MicrosoftOfficeHub"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - -and- + -and- Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.MicrosoftOfficeHub | Remove-AppxPackage** To remove the Get Skype app: -- Right-click the Sports app in Start, and then click **Uninstall**. +- Right-click the Sports app in Start, and then click **Uninstall**. - -or- + -or- -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.SkypeApp"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.SkypeApp"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - -and- + -and- Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.SkypeApp | Remove-AppxPackage** To remove the Sticky notes app: -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.MicrosoftStickyNotes"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.MicrosoftStickyNotes"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - -and- + -and- Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.MicrosoftStickyNotes | Remove-AppxPackage** @@ -846,43 +846,43 @@ To remove the Sticky notes app: Use Settings > Privacy to configure some settings that may be important to your organization. Except for the Feedback & Diagnostics page, these settings must be configured for every user account that signs into the PC. -- [17.1 General](#bkmk-general) +- [17.1 General](#bkmk-general) -- [17.2 Location](#bkmk-priv-location) +- [17.2 Location](#bkmk-priv-location) -- [17.3 Camera](#bkmk-priv-camera) +- [17.3 Camera](#bkmk-priv-camera) -- [17.4 Microphone](#bkmk-priv-microphone) +- [17.4 Microphone](#bkmk-priv-microphone) -- [17.5 Notifications](#bkmk-priv-notifications) +- [17.5 Notifications](#bkmk-priv-notifications) -- [17.6 Speech, inking, & typing](#bkmk-priv-speech) +- [17.6 Speech, inking, & typing](#bkmk-priv-speech) -- [17.7 Account info](#bkmk-priv-accounts) +- [17.7 Account info](#bkmk-priv-accounts) -- [17.8 Contacts](#bkmk-priv-contacts) +- [17.8 Contacts](#bkmk-priv-contacts) -- [17.9 Calendar](#bkmk-priv-calendar) +- [17.9 Calendar](#bkmk-priv-calendar) -- [17.10 Call history](#bkmk-priv-callhistory) +- [17.10 Call history](#bkmk-priv-callhistory) -- [17.11 Email](#bkmk-priv-email) +- [17.11 Email](#bkmk-priv-email) -- [17.12 Messaging](#bkmk-priv-messaging) +- [17.12 Messaging](#bkmk-priv-messaging) -- [17.13 Radios](#bkmk-priv-radios) +- [17.13 Radios](#bkmk-priv-radios) -- [17.14 Other devices](#bkmk-priv-other-devices) +- [17.14 Other devices](#bkmk-priv-other-devices) -- [17.15 Feedback & diagnostics](#bkmk-priv-feedback) +- [17.15 Feedback & diagnostics](#bkmk-priv-feedback) -- [17.16 Background apps](#bkmk-priv-background) +- [17.16 Background apps](#bkmk-priv-background) -- [17.17 Motion](#bkmk-priv-motion) +- [17.17 Motion](#bkmk-priv-motion) -- [17.18 Tasks](#bkmk-priv-tasks) +- [17.18 Tasks](#bkmk-priv-tasks) -- [17.19 App Diagnostics](#bkmk-priv-diag) +- [17.19 App Diagnostics](#bkmk-priv-diag) ### 17.1 General @@ -895,33 +895,33 @@ To turn off **Let apps use advertising ID to make ads more interesting to you ba > [!NOTE] > When you turn this feature off in the UI, it turns off the advertising ID, not just resets it. -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **User Profiles** > **Turn off the advertising ID**. +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **User Profiles** > **Turn off the advertising ID**. - -or- + -or- -- Create a REG\_DWORD registry setting named **Enabled** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AdvertisingInfo** with a value of 0 (zero). +- Create a REG\_DWORD registry setting named **Enabled** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AdvertisingInfo** with a value of 0 (zero). - -or- + -or- -- Create a REG\_DWORD registry setting named **DisabledByGroupPolicy** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AdvertisingInfo** with a value of 1 (one). +- Create a REG\_DWORD registry setting named **DisabledByGroupPolicy** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AdvertisingInfo** with a value of 1 (one). To turn off **Let websites provide locally relevant content by accessing my language list**: -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- -- Create a new REG\_DWORD registry setting named **HttpAcceptLanguageOptOut** in **HKEY\_CURRENT\_USER\\Control Panel\\International\\User Profile** with a value of 1. +- Create a new REG\_DWORD registry setting named **HttpAcceptLanguageOptOut** in **HKEY\_CURRENT\_USER\\Control Panel\\International\\User Profile** with a value of 1. To turn off **Let Windows track app launches to improve Start and search results**: -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- - Create a REG_DWORD registry setting named **Start_TrackProgs** in **HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced** with value of 0 (zero). @@ -932,31 +932,31 @@ To turn off **Let apps use my advertising ID for experiences across apps (turnin > [!NOTE] > When you turn this feature off in the UI, it turns off the advertising ID, not just resets it. -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **User Profiles** > **Turn off the advertising ID**. +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **User Profiles** > **Turn off the advertising ID**. - -or- + -or- -- Create a REG\_DWORD registry setting named **Enabled** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AdvertisingInfo** with a value of 0 (zero). +- Create a REG\_DWORD registry setting named **Enabled** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AdvertisingInfo** with a value of 0 (zero). - -or- + -or- -- Create a REG\_DWORD registry setting named **DisabledByGroupPolicy** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AdvertisingInfo** with a value of 1 (one). +- Create a REG\_DWORD registry setting named **DisabledByGroupPolicy** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AdvertisingInfo** with a value of 1 (one). To turn off **Turn on SmartScreen Filter to check web content (URLs) that Microsoft Store apps use**: -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- -- Create a provisioning package, using: - - For Internet Explorer: **Runtime settings > Policies > Browser > AllowSmartScreen** - - For Microsoft Edge: **Runtime settings > Policies > MicrosoftEdge > AllowSmartScreen** +- Create a provisioning package, using: + - For Internet Explorer: **Runtime settings > Policies > Browser > AllowSmartScreen** + - For Microsoft Edge: **Runtime settings > Policies > MicrosoftEdge > AllowSmartScreen** - -or- + -or- - Create a REG_DWORD registry setting named **EnableWebContentEvaluation** in **HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost** with a value of 0 (zero). @@ -967,35 +967,35 @@ To turn off **Send Microsoft info about how I write to help us improve typing an -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- -- Apply the TextInput/AllowLinguisticDataCollection MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where: +- Apply the TextInput/AllowLinguisticDataCollection MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where: - - **0**. Not allowed + - **0**. Not allowed - - **1**. Allowed (default) + - **1**. Allowed (default) To turn off **Let websites provide locally relevant content by accessing my language list**: -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- -- Create a new REG\_DWORD registry setting named **HttpAcceptLanguageOptOut** in **HKEY\_CURRENT\_USER\\Control Panel\\International\\User Profile** with a value of 1. +- Create a new REG\_DWORD registry setting named **HttpAcceptLanguageOptOut** in **HKEY\_CURRENT\_USER\\Control Panel\\International\\User Profile** with a value of 1. To turn off **Let apps on my other devices open apps and continue experiences on this devices**: - Turn off the feature in the UI. - -or- + -or- -- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Group Policy** > **Continue experiences on this device**. +- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Group Policy** > **Continue experiences on this device**. - -or- + -or- -- Create a REG\_DWORD registry setting named **EnableCdp** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\System** with a value of 0 (zero). +- Create a REG\_DWORD registry setting named **EnableCdp** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\System** with a value of 0 (zero). To turn off **Let apps on my other devices use Bluetooth to open apps and continue experiences on this device**: @@ -1007,58 +1007,58 @@ In the **Location** area, you choose whether devices have access to location-spe To turn off **Location for this device**: -- Click the **Change** button in the UI. +- Click the **Change** button in the UI. - -or- + -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Location and Sensors** > **Turn off location**. +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Location and Sensors** > **Turn off location**. - -or- + -or- -- Create a REG\_DWORD registry setting named **LetAppsAccessLocation** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). +- Create a REG\_DWORD registry setting named **LetAppsAccessLocation** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). - -or- + -or- -- Apply the System/AllowLocation MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: +- Apply the System/AllowLocation MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: - - **0**. Turned off and the employee can't turn it back on. + - **0**. Turned off and the employee can't turn it back on. - - **1**. Turned on, but lets the employee choose whether to use it. (default) + - **1**. Turned on, but lets the employee choose whether to use it. (default) - - **2**. Turned on and the employee can't turn it off. + - **2**. Turned on and the employee can't turn it off. > [!NOTE] > You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](https://msdn.microsoft.com/library/dn905224.aspx). - -or- + -or- -- Create a provisioning package, using **Runtime settings** > **Policies** > **System** > **AllowLocation**, where +- Create a provisioning package, using **Runtime settings** > **Policies** > **System** > **AllowLocation**, where - - **No**. Turns off location service. + - **No**. Turns off location service. - - **Yes**. Turns on location service. (default) + - **Yes**. Turns on location service. (default) To turn off **Location**: -- Turn off the feature in the UI. +- Turn off the feature in the UI. -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access location** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access location** - - Set the **Select a setting** box to **Force Deny**. + - Set the **Select a setting** box to **Force Deny**. - -or- + -or- -- Create a REG\_DWORD registry setting named **DisableLocation** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\LocationAndSensors** with a value of 1 (one). +- Create a REG\_DWORD registry setting named **DisableLocation** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\LocationAndSensors** with a value of 1 (one). - -or- + -or- To turn off **Location history**: -- Erase the history using the **Clear** button in the UI. +- Erase the history using the **Clear** button in the UI. To turn off **Choose apps that can use your location**: -- Turn off each app using the UI. +- Turn off each app using the UI. ### 17.3 Camera @@ -1066,40 +1066,40 @@ In the **Camera** area, you can choose which apps can access a device's camera. To turn off **Let apps use my camera**: -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the camera** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the camera** - - Set the **Select a setting** box to **Force Deny**. + - Set the **Select a setting** box to **Force Deny**. - -or- + -or- -- Create a REG\_DWORD registry setting named **LetAppsAccessCamera** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). +- Create a REG\_DWORD registry setting named **LetAppsAccessCamera** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). - -or- + -or- -- Apply the Camera/AllowCamera MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: +- Apply the Camera/AllowCamera MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: - - **0**. Apps can't use the camera. + - **0**. Apps can't use the camera. - - **1**. Apps can use the camera. + - **1**. Apps can use the camera. > [!NOTE] > You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](https://msdn.microsoft.com/library/dn905224.aspx). - -or- + -or- -- Create a provisioning package with use Windows ICD, using **Runtime settings** > **Policies** > **Camera** > **AllowCamera**, where: +- Create a provisioning package with use Windows ICD, using **Runtime settings** > **Policies** > **Camera** > **AllowCamera**, where: - - **0**. Apps can't use the camera. + - **0**. Apps can't use the camera. - - **1**. Apps can use the camera. + - **1**. Apps can use the camera. To turn off **Choose apps that can use your camera**: -- Turn off the feature in the UI for each app. +- Turn off the feature in the UI for each app. ### 17.4 Microphone @@ -1107,29 +1107,29 @@ In the **Microphone** area, you can choose which apps can access a device's micr To turn off **Let apps use my microphone**: -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the microphone** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the microphone** - - Set the **Select a setting** box to **Force Deny**. + - Set the **Select a setting** box to **Force Deny**. - -or- + -or- -- Apply the Privacy/LetAppsAccessMicrophone MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessmicrophone), where: +- Apply the Privacy/LetAppsAccessMicrophone MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessmicrophone), where: - - **0**. User in control - - **1**. Force allow - - **2**. Force deny + - **0**. User in control + - **1**. Force allow + - **2**. Force deny - -or- + -or- -- Create a REG\_DWORD registry setting named **LetAppsAccessMicrophone** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two) +- Create a REG\_DWORD registry setting named **LetAppsAccessMicrophone** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two) To turn off **Choose apps that can use your microphone**: -- Turn off the feature in the UI for each app. +- Turn off the feature in the UI for each app. ### 17.5 Notifications @@ -1138,45 +1138,45 @@ To turn off **Choose apps that can use your microphone**: To turn off notifications network usage: -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Notifications** > **Turn off Notifications network usage** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Notifications** > **Turn off Notifications network usage** - - Set to **Enabled**. + - Set to **Enabled**. - -or- + -or- -- Create a REG\_DWORD registry setting named **NoCloudApplicationNotification** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\PushNotifications** with a value of 1 (one) +- Create a REG\_DWORD registry setting named **NoCloudApplicationNotification** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\PushNotifications** with a value of 1 (one) - -or- + -or- -- Apply the Notifications/DisallowCloudNotification MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-notifications#notifications-disallowcloudnotification), where: +- Apply the Notifications/DisallowCloudNotification MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-notifications#notifications-disallowcloudnotification), where: - - **0**. WNS notifications allowed - - **1**. No WNS notifications allowed + - **0**. WNS notifications allowed + - **1**. No WNS notifications allowed In the **Notifications** area, you can also choose which apps have access to notifications. To turn off **Let apps access my notifications**: -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access notifications** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access notifications** - - Set the **Select a setting** box to **Force Deny**. + - Set the **Select a setting** box to **Force Deny**. - -or- + -or- -- Apply the Privacy/LetAppsAccessNotifications MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessnotifications), where: +- Apply the Privacy/LetAppsAccessNotifications MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessnotifications), where: - - **0**. User in control - - **1**. Force allow - - **2**. Force deny + - **0**. User in control + - **1**. Force allow + - **2**. Force deny - -or- + -or- -- Create a REG\_DWORD registry setting named **LetAppsAccessNotifications** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two) +- Create a REG\_DWORD registry setting named **LetAppsAccessNotifications** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two) ### 17.6 Speech, inking, & typing @@ -1187,19 +1187,19 @@ In the **Speech, Inking, & Typing** area, you can let Windows and Cortana better To turn off the functionality: -- Click the **Stop getting to know me** button, and then click **Turn off**. +- Click the **Stop getting to know me** button, and then click **Turn off**. - -or- + -or- -- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Regional and Language Options** > **Handwriting personalization** > **Turn off automatic learning** +- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Regional and Language Options** > **Handwriting personalization** > **Turn off automatic learning** - -or- + -or- -- Create a REG\_DWORD registry setting named **RestrictImplicitInkCollection** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\InputPersonalization** with a value of 1 (one). +- Create a REG\_DWORD registry setting named **RestrictImplicitInkCollection** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\InputPersonalization** with a value of 1 (one). - -or- + -or- -- Create a REG\_DWORD registry setting named **AcceptedPrivacyPolicy** in **HKEY\_CURRENT\_USER\\Software\\Microsoft\\Personalization\\Settings** with a value of 0 (zero). +- Create a REG\_DWORD registry setting named **AcceptedPrivacyPolicy** in **HKEY\_CURRENT\_USER\\Software\\Microsoft\\Personalization\\Settings** with a value of 0 (zero). -and- @@ -1213,10 +1213,10 @@ If you're running at least Windows 10, version 1607, you can turn off updates to Apply the Speech/AllowSpeechModelUpdate MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962(v=vs.85).aspx#Speech_AllowSpeechModelUpdate), where: -- **0** (default). Not allowed. -- **1**. Allowed. +- **0** (default). Not allowed. +- **1**. Allowed. - -or- + -or- - Create a REG\_DWORD registry setting named **ModelDownloadAllowed** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Preferences** with a value of 0 (zero). @@ -1226,29 +1226,29 @@ In the **Account Info** area, you can choose which apps can access your name, pi To turn off **Let apps access my name, picture, and other account info**: -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access account information** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access account information** - - Set the **Select a setting** box to **Force Deny**. + - Set the **Select a setting** box to **Force Deny**. - -or- + -or- -- Apply the Privacy/LetAppsAccessAccountInfo MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessaccountinfo), where: +- Apply the Privacy/LetAppsAccessAccountInfo MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessaccountinfo), where: - - **0**. User in control - - **1**. Force allow - - **2**. Force deny + - **0**. User in control + - **1**. Force allow + - **2**. Force deny - -or- + -or- - Create a REG\_DWORD registry setting named **LetAppsAccessAccountInfo** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). To turn off **Choose the apps that can access your account info**: -- Turn off the feature in the UI for each app. +- Turn off the feature in the UI for each app. ### 17.8 Contacts @@ -1256,23 +1256,23 @@ In the **Contacts** area, you can choose which apps can access an employee's con To turn off **Choose apps that can access contacts**: -- Turn off the feature in the UI for each app. +- Turn off the feature in the UI for each app. - -or- + -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access contacts** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access contacts** - - Set the **Select a setting** box to **Force Deny**. + - Set the **Select a setting** box to **Force Deny**. - -or- + -or- -- Apply the Privacy/LetAppsAccessContacts MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccesscontacts), where: +- Apply the Privacy/LetAppsAccessContacts MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccesscontacts), where: - - **0**. User in control - - **1**. Force allow - - **2**. Force deny + - **0**. User in control + - **1**. Force allow + - **2**. Force deny - -or- + -or- - Create a REG\_DWORD registry setting named **LetAppsAccessContacts** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). @@ -1282,29 +1282,29 @@ In the **Calendar** area, you can choose which apps have access to an employee's To turn off **Let apps access my calendar**: -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the calendar** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the calendar** - - Set the **Select a setting** box to **Force Deny**. + - Set the **Select a setting** box to **Force Deny**. - -or- + -or- -- Apply the Privacy/LetAppsAccessCalendar MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccesscalendar), where: +- Apply the Privacy/LetAppsAccessCalendar MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccesscalendar), where: - - **0**. User in control - - **1**. Force allow - - **2**. Force deny + - **0**. User in control + - **1**. Force allow + - **2**. Force deny - -or- + -or- - Create a REG\_DWORD registry setting named **LetAppsAccessCalendar** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). To turn off **Choose apps that can access calendar**: -- Turn off the feature in the UI for each app. +- Turn off the feature in the UI for each app. ### 17.10 Call history @@ -1312,25 +1312,25 @@ In the **Call history** area, you can choose which apps have access to an employ To turn off **Let apps access my call history**: -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access call history** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access call history** - - Set the **Select a setting** box to **Force Deny**. + - Set the **Select a setting** box to **Force Deny**. - -or- + -or- - - Apply the Privacy/LetAppsAccessCallHistory MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccesscallhistory), where: + - Apply the Privacy/LetAppsAccessCallHistory MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccesscallhistory), where: - - **0**. User in control - - **1**. Force allow - - **2**. Force deny + - **0**. User in control + - **1**. Force allow + - **2**. Force deny - -or- + -or- -- Create a REG\_DWORD registry setting named **LetAppsAccessCallHistory** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). +- Create a REG\_DWORD registry setting named **LetAppsAccessCallHistory** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). ### 17.11 Email @@ -1338,25 +1338,25 @@ In the **Email** area, you can choose which apps have can access and send email. To turn off **Let apps access and send email**: -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access email** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access email** - - Set the **Select a setting** box to **Force Deny**. + - Set the **Select a setting** box to **Force Deny**. - -or- + -or- - - Apply the Privacy/LetAppsAccessEmail MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessemail), where: + - Apply the Privacy/LetAppsAccessEmail MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessemail), where: - - **0**. User in control - - **1**. Force allow - - **2**. Force deny + - **0**. User in control + - **1**. Force allow + - **2**. Force deny - -or- + -or- -- Create a REG\_DWORD registry setting named **LetAppsAccessEmail** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). +- Create a REG\_DWORD registry setting named **LetAppsAccessEmail** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). ### 17.12 Messaging @@ -1364,29 +1364,29 @@ In the **Messaging** area, you can choose which apps can read or send messages. To turn off **Let apps read or send messages (text or MMS)**: -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access messaging** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access messaging** - - Set the **Select a setting** box to **Force Deny**. + - Set the **Select a setting** box to **Force Deny**. - -or- + -or- -- Apply the Privacy/LetAppsAccessMessaging MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessmessaging), where: +- Apply the Privacy/LetAppsAccessMessaging MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessmessaging), where: - - **0**. User in control - - **1**. Force allow - - **2**. Force deny + - **0**. User in control + - **1**. Force allow + - **2**. Force deny - -or- + -or- -- Create a REG\_DWORD registry setting named **LetAppsAccessMessaging** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). +- Create a REG\_DWORD registry setting named **LetAppsAccessMessaging** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). To turn off **Choose apps that can read or send messages**: -- Turn off the feature in the UI for each app. +- Turn off the feature in the UI for each app. ### 17.13 Phone calls @@ -1394,30 +1394,30 @@ In the **Phone calls** area, you can choose which apps can make phone calls. To turn off **Let apps make phone calls**: -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps make phone calls** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps make phone calls** - - Set the **Select a setting** box to **Force Deny**. + - Set the **Select a setting** box to **Force Deny**. - -or- + -or- -- Apply the Privacy/LetAppsAccessPhone MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessphone), where: +- Apply the Privacy/LetAppsAccessPhone MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessphone), where: - - **0**. User in control - - **1**. Force allow - - **2**. Force deny + - **0**. User in control + - **1**. Force allow + - **2**. Force deny - -or- + -or- -- Create a REG\_DWORD registry setting named **LetAppsAccessPhone** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). +- Create a REG\_DWORD registry setting named **LetAppsAccessPhone** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). To turn off **Choose apps that can make phone calls**: -- Turn off the feature in the UI for each app. +- Turn off the feature in the UI for each app. ### 17.14 Radios @@ -1425,30 +1425,30 @@ In the **Radios** area, you can choose which apps can turn a device's radio on o To turn off **Let apps control radios**: -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps control radios** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps control radios** - - Set the **Select a setting** box to **Force Deny**. + - Set the **Select a setting** box to **Force Deny**. - -or- + -or- -- Apply the Privacy/LetAppsAccessRadios MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessradios), where: +- Apply the Privacy/LetAppsAccessRadios MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessradios), where: - - **0**. User in control - - **1**. Force allow - - **2**. Force deny + - **0**. User in control + - **1**. Force allow + - **2**. Force deny - -or- + -or- -- Create a REG\_DWORD registry setting named **LetAppsAccessRadios** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). +- Create a REG\_DWORD registry setting named **LetAppsAccessRadios** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). To turn off **Choose apps that can control radios**: -- Turn off the feature in the UI for each app. +- Turn off the feature in the UI for each app. ### 17.15 Other devices @@ -1456,44 +1456,42 @@ In the **Other Devices** area, you can choose whether devices that aren't paired To turn off **Let apps automatically share and sync info with wireless devices that don't explicitly pair with your PC, tablet, or phone**: -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps sync with devices** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps sync with devices** - -or- + -or- -- Apply the Privacy/LetAppsSyncWithDevices MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappssyncwithdevices), where: +- Apply the Privacy/LetAppsSyncWithDevices MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappssyncwithdevices), where: - - **0**. User in control - - **1**. Force allow - - **2**. Force deny + - **0**. User in control + - **1**. Force allow + - **2**. Force deny + -or- - -or- - -- Create a REG\_DWORD registry setting named **LetAppsSyncWithDevices** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). +- Create a REG\_DWORD registry setting named **LetAppsSyncWithDevices** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). To turn off **Let your apps use your trusted devices (hardware you've already connected, or comes with your PC, tablet, or phone)**: -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access trusted devices** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access trusted devices** - - Set the **Select a setting** box to **Force Deny**. +- Set the **Select a setting** box to **Force Deny**. - -or- + -or- -- Apply the **Privacy/LetAppsAccessTrustedDevices** MDM policy from the [Policy CSP](/windows/client-management/mdm/policy-csp-privacy.md#privacy-letappsaccesstrusteddevices +- Apply the **Privacy/LetAppsAccessTrustedDevices** MDM policy from the [Policy CSP](/windows/client-management/mdm/policy-csp-privacy.md#privacy-letappsaccesstrusteddevices ), where: - - **0**. User in control - - **1**. Force allow - - **2**. Force deny - + - **0**. User in control + - **1**. Force allow + - **2**. Force deny ### 17.16 Feedback & diagnostics @@ -1506,23 +1504,23 @@ To change how frequently **Windows should ask for my feedback**: -- To change from **Automatically (Recommended)**, use the drop-down list in the UI. +- To change from **Automatically (Recommended)**, use the drop-down list in the UI. - -or- + -or- -- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Do not show feedback notifications** +- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Do not show feedback notifications** - -or- + -or- -- Create a REG\_DWORD registry setting named **DoNotShowFeedbackNotifications** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection** with a value of 1 (one). +- Create a REG\_DWORD registry setting named **DoNotShowFeedbackNotifications** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection** with a value of 1 (one). - -or- + -or- -- Create the registry keys (REG\_DWORD type): +- Create the registry keys (REG\_DWORD type): - - HKEY\_CURRENT\_USER\\Software\\Microsoft\\Siuf\\Rules\\PeriodInNanoSeconds + - HKEY\_CURRENT\_USER\\Software\\Microsoft\\Siuf\\Rules\\PeriodInNanoSeconds - - HKEY\_CURRENT\_USER\\Software\\Microsoft\\Siuf\\Rules\\NumberOfSIUFInPeriod + - HKEY\_CURRENT\_USER\\Software\\Microsoft\\Siuf\\Rules\\NumberOfSIUFInPeriod Based on these settings: @@ -1537,48 +1535,48 @@ To change how frequently **Windows should ask for my feedback**: To change the level of diagnostic and usage data sent when you **Send your device data to Microsoft**: -- Click either the **Basic** or **Full** options. +- Click either the **Basic** or **Full** options. - -or- + -or- -- Apply the Group Policy: **Computer Configuration\\Administrative Templates\\Windows Components\\Data Collection And Preview Builds\\Allow Telemetry** and select the appropriate option for your deployment. +- Apply the Group Policy: **Computer Configuration\\Administrative Templates\\Windows Components\\Data Collection And Preview Builds\\Allow Telemetry** and select the appropriate option for your deployment. - -or- + -or- -- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry** with a value of 0-3, as appropriate for your deployment (see below for the values for each level). +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry** with a value of 0-3, as appropriate for your deployment (see below for the values for each level). > [!NOTE] > If the **Security** option is configured by using Group Policy or the Registry, the value will not be reflected in the UI. The **Security** option is only available in Windows 10 Enterprise edition. - -or- + -or- -- Apply the System/AllowTelemetry MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: +- Apply the System/AllowTelemetry MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: - - **0**. Maps to the **Security** level. + - **0**. Maps to the **Security** level. - - **1**. Maps to the **Basic** level. + - **1**. Maps to the **Basic** level. - - **2**. Maps to the **Enhanced** level. + - **2**. Maps to the **Enhanced** level. - - **3**. Maps to the **Full** level. + - **3**. Maps to the **Full** level. - -or- + -or- -- Create a provisioning package, using **Runtime settings** > **Policies** > **System** > **AllowTelemetry**, where: +- Create a provisioning package, using **Runtime settings** > **Policies** > **System** > **AllowTelemetry**, where: - - **0**. Maps to the **Security** level. + - **0**. Maps to the **Security** level. - - **1**. Maps to the **Basic** level. + - **1**. Maps to the **Basic** level. - - **2**. Maps to the **Enhanced** level. + - **2**. Maps to the **Enhanced** level. - - **3**. Maps to the **Full** level. + - **3**. Maps to the **Full** level. To turn off tailored experiences with relevant tips and recommendations by using your diagnostics data: - Turn off the feature in the UI. - -or- + -or- - Apply the Group Policy: **User Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not use diagnostic data for tailored experiences** @@ -1588,25 +1586,25 @@ In the **Background Apps** area, you can choose which apps can run in the backgr To turn off **Let apps run in the background**: -- In **Background apps**, set **Let apps run in the background** to **Off**. +- In **Background apps**, set **Let apps run in the background** to **Off**. - -or- + -or- -- In **Background apps**, turn off the feature for each app. +- In **Background apps**, turn off the feature for each app. - -or- + -or- -- Apply the Group Policy (only applicable for Windows 10, version 1703): **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps run in the background** +- Apply the Group Policy (only applicable for Windows 10, version 1703): **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps run in the background** - - Set the **Select a setting** box to **Force Deny**. + - Set the **Select a setting** box to **Force Deny**. - -or- + -or- -- Apply the Privacy/LetAppsRunInBackground MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessruninbackground), where: +- Apply the Privacy/LetAppsRunInBackground MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessruninbackground), where: - - **0**. User in control - - **1**. Force allow - - **2**. Force deny + - **0**. User in control + - **1**. Force allow + - **2**. Force deny > [!NOTE] > Some apps, including Cortana and Search, might not function as expected if you set **Let apps run in the background** to **Force Deny**. @@ -1617,23 +1615,23 @@ In the **Motion** area, you can choose which apps have access to your motion dat To turn off **Let Windows and your apps use your motion data and collect motion history**: -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access motion** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access motion** - -or- + -or- -- Apply the Privacy/LetAppsAccessMotion MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessmotion), where: +- Apply the Privacy/LetAppsAccessMotion MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessmotion), where: - - **0**. User in control - - **1**. Force allow - - **2**. Force deny + - **0**. User in control + - **1**. Force allow + - **2**. Force deny - -or- + -or- -- Create a REG\_DWORD registry setting named **LetAppsAccessMotion** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). +- Create a REG\_DWORD registry setting named **LetAppsAccessMotion** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). ### 17.19 Tasks @@ -1641,21 +1639,21 @@ In the **Tasks** area, you can choose which apps have access to your tasks. To turn this off: -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access Tasks** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access Tasks** - - Set the **Select a setting** box to **Force Deny**. + - Set the **Select a setting** box to **Force Deny**. - -or- + -or- -- Apply the Privacy/LetAppsAccessTasks MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccesstasks), where: +- Apply the Privacy/LetAppsAccessTasks MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccesstasks), where: - - **0**. User in control - - **1**. Force allow - - **2**. Force deny + - **0**. User in control + - **1**. Force allow + - **2**. Force deny ### 17.20 App Diagnostics @@ -1663,19 +1661,19 @@ In the **App diagnostics** area, you can choose which apps have access to your d To turn this off: -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access dignostic information about other apps** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access dignostic information about other apps** - -or- + -or- -- Apply the Privacy/LetAppsGetDiagnosticInfo MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsgetdiagnosticinfo), where: +- Apply the Privacy/LetAppsGetDiagnosticInfo MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsgetdiagnosticinfo), where: - - **0**. User in control - - **1**. Force allow - - **2**. Force deny + - **0**. User in control + - **1**. Force allow + - **2**. Force deny ### 18. Software Protection Platform @@ -1686,11 +1684,11 @@ For Windows 10: - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Validation** - -or- + -or- -- Apply the Licensing/DisallowKMSClientOnlineAVSValidation MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is disabled (default) and 1 is enabled. +- Apply the Licensing/DisallowKMSClientOnlineAVSValidation MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is disabled (default) and 1 is enabled. - -or- + -or- - Create a REG\_DWORD registry setting named **NoGenTicket** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform** with a value of 1 (one). @@ -1698,7 +1696,7 @@ For Windows Server 2016 with Desktop Experience or Windows Server 2016 Server Co - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Validation** - -or- + -or- - Create a REG\_DWORD registry setting named **NoGenTicket** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform** with a value of 1 (one). @@ -1716,31 +1714,31 @@ For Windows 10: You can control if your settings are synchronized: -- In the UI: **Settings** > **Accounts** > **Sync your settings** +- In the UI: **Settings** > **Accounts** > **Sync your settings** - -or- + -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Sync your settings** > **Do not sync** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Sync your settings** > **Do not sync** - -or- + -or- -- Create a REG\_DWORD registry setting named **DisableSettingSync** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\SettingSync** with a value of 2 (two) and another named **DisableSettingSyncUserOverride** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\SettingSync** with a value of 1 (one). +- Create a REG\_DWORD registry setting named **DisableSettingSync** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\SettingSync** with a value of 2 (two) and another named **DisableSettingSyncUserOverride** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\SettingSync** with a value of 1 (one). - -or- + -or- -- Apply the Experience/AllowSyncMySettings MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is not allowed and 1 is allowed. +- Apply the Experience/AllowSyncMySettings MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is not allowed and 1 is allowed. - -or- + -or- -- Create a provisioning package, using **Runtime settings** > **Policies** > **Experience** > **AllowSyncMySettings**, where +- Create a provisioning package, using **Runtime settings** > **Policies** > **Experience** > **AllowSyncMySettings**, where - - **No**. Settings are not synchronized. + - **No**. Settings are not synchronized. - - **Yes**. Settings are synchronized. (default) + - **Yes**. Settings are synchronized. (default) To turn off Messaging cloud sync: -- Create a REG\_DWORD registry setting named **CloudServiceSyncEnabled** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Messaging** with a value of 0 (zero). +- Create a REG\_DWORD registry setting named **CloudServiceSyncEnabled** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Messaging** with a value of 0 (zero). ### 21. Teredo @@ -1749,15 +1747,15 @@ You can disable Teredo by using Group Policy or by using the netsh.exe command. >[!NOTE] >If you disable Teredo, some XBOX gaming features and Windows Update Delivery Optimization will not work. -- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** > **TCPIP Settings** > **IPv6 Transition Technologies** > **Set Teredo State** and set it to **Disabled State**. +- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** > **TCPIP Settings** > **IPv6 Transition Technologies** > **Set Teredo State** and set it to **Disabled State**. - -or- + -or- -- Create a new REG\_SZ registry setting named **Teredo_State** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\TCPIP\\v6Transition** with a value of **Disabled**. +- Create a new REG\_SZ registry setting named **Teredo_State** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\TCPIP\\v6Transition** with a value of **Disabled**. - -or- + -or- -- From an elevated command prompt, run **netsh interface teredo set state disabled** +- From an elevated command prompt, run **netsh interface teredo set state disabled** ### 22. Wi-Fi Sense @@ -1768,23 +1766,23 @@ Wi-Fi Sense automatically connects devices to known hotspots and to the wireless To turn off **Connect to suggested open hotspots** and **Connect to networks shared by my contacts**: -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- -- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** > **WLAN Service** > **WLAN Settings** > **Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services**. +- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** > **WLAN Service** > **WLAN Settings** > **Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services**. - -or- + -or- -- Create a new REG\_DWORD registry setting named **AutoConnectAllowedOEM** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\WcmSvc\\wifinetworkmanager\\config** with a value of 0 (zero). +- Create a new REG\_DWORD registry setting named **AutoConnectAllowedOEM** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\WcmSvc\\wifinetworkmanager\\config** with a value of 0 (zero). - -or- + -or- -- Change the Windows Provisioning setting, WiFISenseAllowed, to 0 (zero). For more info, see the Windows Provisioning Settings reference doc, [WiFiSenseAllowed](https://go.microsoft.com/fwlink/p/?LinkId=620909). +- Change the Windows Provisioning setting, WiFISenseAllowed, to 0 (zero). For more info, see the Windows Provisioning Settings reference doc, [WiFiSenseAllowed](https://go.microsoft.com/fwlink/p/?LinkId=620909). - -or- + -or- -- Use the Unattended settings to set the value of WiFiSenseAllowed to 0 (zero). For more info, see the Unattended Windows Setup reference doc, [WiFiSenseAllowed](https://go.microsoft.com/fwlink/p/?LinkId=620910). +- Use the Unattended settings to set the value of WiFiSenseAllowed to 0 (zero). For more info, see the Unattended Windows Setup reference doc, [WiFiSenseAllowed](https://go.microsoft.com/fwlink/p/?LinkId=620910). When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings screen, but they’re non-functional and they can’t be controlled by the employee. @@ -1792,55 +1790,55 @@ When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings scr You can disconnect from the Microsoft Antimalware Protection Service. -- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **MAPS** > **Join Microsoft MAPS** +- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **MAPS** > **Join Microsoft MAPS** - -or- + -or- -- Delete the registry setting **named** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\Updates**. +- Delete the registry setting **named** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\Updates**. - -or- + -or- -- For Windows 10 only, apply the Defender/AllowClouldProtection MDM policy from the [Defender CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). +- For Windows 10 only, apply the Defender/AllowClouldProtection MDM policy from the [Defender CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). - -or- + -or- -- Use the registry to set the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Spynet\\SpyNetReporting** to 0 (zero). +- Use the registry to set the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Spynet\\SpyNetReporting** to 0 (zero). - -and- + -and- From an elevated Windows PowerShell prompt, run **set-mppreference -Mapsreporting 0** You can stop sending file samples back to Microsoft. -- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **MAPS** > **Send file samples when further analysis is required** to **Always Prompt** or **Never Send**. +- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **MAPS** > **Send file samples when further analysis is required** to **Always Prompt** or **Never Send**. - -or- + -or- -- For Windows 10 only, apply the Defender/SubmitSamplesConsent MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender), where: +- For Windows 10 only, apply the Defender/SubmitSamplesConsent MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender), where: - - **0**. Always prompt. + - **0**. Always prompt. - - **1**. (default) Send safe samples automatically. + - **1**. (default) Send safe samples automatically. - - **2**. Never send. + - **2**. Never send. - - **3**. Send all samples automatically. + - **3**. Send all samples automatically. - -or- + -or- -- Use the registry to set the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Spynet\\SubmitSamplesConsent** to 0 (zero) to always prompt or 2 to never send. +- Use the registry to set the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Spynet\\SubmitSamplesConsent** to 0 (zero) to always prompt or 2 to never send. You can stop downloading definition updates: -- Enable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **Signature Updates** > **Define the order of sources for downloading definition updates** and set it to **FileShares**. +- Enable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **Signature Updates** > **Define the order of sources for downloading definition updates** and set it to **FileShares**. - -and- + -and- -- Disable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **Signature Updates** > **Define file shares for downloading definition updates** and set it to nothing. +- Disable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **Signature Updates** > **Define file shares for downloading definition updates** and set it to nothing. - -or- + -or- -- Create a new REG\_SZ registry setting named **FallbackOrder** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\Updates** with a value of **FileShares**. +- Create a new REG\_SZ registry setting named **FallbackOrder** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\Updates** with a value of **FileShares**. For Windows 10 only, you can stop Enhanced Notifications: @@ -1854,11 +1852,11 @@ To disable Windows Defender Smartscreen: - In Group Policy, configure - **Computer Configuration > Administrative Templates > Windows Components > Windows Defender SmartScreen > Explorer > Configure Windows Defender SmartScreen** : **Disable** - -or- + -and- - **Computer Configuration > Administrative Templates > Windows Components > File Explorer > Configure Windows Defender SmartScreen** : **Disable** - -and- + -and- - **Computer Configuration > Administrative Templates > Windows Components > Windows Defender SmartScreen > Explorer > Configure app install control** : **Enable** @@ -1866,11 +1864,11 @@ To disable Windows Defender Smartscreen: - Create a REG_DWORD registry setting named **EnableSmartScreen** in **HKEY_LOCAL_MACHINE\Sofware\Policies\Microsoft\Windows\System** with a value of 0 (zero). - -and- + -and- - Create a REG_DWORD registry setting named **ConfigureAppInstallControlEnabled** in **HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen** with a value of 1. - -and- + -and- - Create a SZ registry setting named **ConfigureAppInstallControl** in **HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen** with a value of **Anywhere**. @@ -1882,15 +1880,15 @@ To disable Windows Defender Smartscreen: To remove Windows Media Player on Windows 10: -- From the **Programs and Features** control panel, click **Turn Windows features on or off**, under **Media Features**, clear the **Windows Media Player** check box, and then click **OK**. +- From the **Programs and Features** control panel, click **Turn Windows features on or off**, under **Media Features**, clear the **Windows Media Player** check box, and then click **OK**. - -or- + -or- -- Run the following DISM command from an elevated command prompt: **dism /online /Disable-Feature /FeatureName:WindowsMediaPlayer** +- Run the following DISM command from an elevated command prompt: **dism /online /Disable-Feature /FeatureName:WindowsMediaPlayer** To remove Windows Media Player on Windows Server 2016: -- Run the following DISM command from an elevated command prompt: **dism /online /Disable-Feature /FeatureName:WindowsMediaPlayer** +- Run the following DISM command from an elevated command prompt: **dism /online /Disable-Feature /FeatureName:WindowsMediaPlayer** ### 25. Windows Spotlight @@ -1903,51 +1901,51 @@ If you're running Windows 10, version 1607 or later, you only need to enable the > [!NOTE] > This must be done within 15 minutes after Windows 10 is installed. Alternatively, you can create an image with this setting. - -or- + -or- -- For Windows 10 only, apply the Experience/AllowWindowsSpotlight MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience), with a value of 0 (zero). +- For Windows 10 only, apply the Experience/AllowWindowsSpotlight MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience), with a value of 0 (zero). - -or- + -or- -- Create a new REG\_DWORD registry setting named **DisableWindowsSpotlightFeatures** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent** with a value of 1 (one). +- Create a new REG\_DWORD registry setting named **DisableWindowsSpotlightFeatures** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent** with a value of 1 (one). If you're not running Windows 10, version 1607 or later, you can use the other options in this section. -- Configure the following in **Settings**: +- Configure the following in **Settings**: - - **Personalization** > **Lock screen** > **Background** > **Windows spotlight**, select a different background, and turn off **Get fun facts, tips, tricks and more on your lock screen**. + - **Personalization** > **Lock screen** > **Background** > **Windows spotlight**, select a different background, and turn off **Get fun facts, tips, tricks and more on your lock screen**. > [!NOTE] > In Windows 10, version 1507 and Windows 10, version 1511, this setting was named **Show me tips, tricks, and more on the lock screen**. - - **Personalization** > **Start** > **Occasionally show suggestions in Start**. + - **Personalization** > **Start** > **Occasionally show suggestions in Start**. - - **System** > **Notifications & actions** > **Show me tips about Windows**. + - **System** > **Notifications & actions** > **Show me tips about Windows**. - -or- + -or- -- Apply the Group Policies: +- Apply the Group Policies: - - **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Force a specific default lock screen image**. - - Add a location in the **Path to local lock screen image** box. + - **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Force a specific default lock screen image**. + - Add a location in the **Path to local lock screen image** box. - - Set the **Turn off fun facts, tips, tricks, and more on lock screen** check box. + - Set the **Turn off fun facts, tips, tricks, and more on lock screen** check box. - > [!NOTE] - > This will only take effect if the policy is applied before the first logon. If you cannot apply the **Force a specific default lock screen image** policy before the first logon to the device, you can apply this policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Do not display the lock screen**. Alternatively, you can create a new REG\_SZ registry setting nameed **LockScreenImage** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization** with a value of **C:\\windows\\web\\screen\\lockscreen.jpg** and create a new REG\_DWORD registry setting named **LockScreenOverlaysDisabled** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization** with a value of 1 (one). + > [!NOTE] + > This will only take effect if the policy is applied before the first logon. If you cannot apply the **Force a specific default lock screen image** policy before the first logon to the device, you can apply this policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Do not display the lock screen**. Alternatively, you can create a new REG\_SZ registry setting nameed **LockScreenImage** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization** with a value of **C:\\windows\\web\\screen\\lockscreen.jpg** and create a new REG\_DWORD registry setting named **LockScreenOverlaysDisabled** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization** with a value of 1 (one). - - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not show Windows tips**. + - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not show Windows tips**. - -or- + -or- - - Create a new REG\_DWORD registry setting named **DisableSoftLanding** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent** with a value of 1 (one). + - Create a new REG\_DWORD registry setting named **DisableSoftLanding** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent** with a value of 1 (one). - - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off Microsoft consumer experiences**. + - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off Microsoft consumer experiences**. - -or- + -or- - - Create a new REG\_DWORD registry setting named **DisableWindowsConsumerFeatures** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent** with a value of 1 (one). + - Create a new REG\_DWORD registry setting named **DisableWindowsConsumerFeatures** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent** with a value of 1 (one). For more info, see [Windows Spotlight on the lock screen](/windows/configuration/windows-spotlight). @@ -1958,17 +1956,17 @@ This will also turn off automatic app updates, and the Microsoft Store will be d In addition, new email accounts cannot be created by clicking **Settings** > **Accounts** > **Email & app accounts** > **Add an account**. On Windows Server 2016, this will block Microsoft Store calls from Universal Windows Apps. -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store** > **Disable all apps from Microsoft Store**. +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store** > **Disable all apps from Microsoft Store**. - -or- + -or- - - Create a new REG\_DWORD registry setting named **DisableStoreApps** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\WindowsStore** with a value of 1 (one). + - Create a new REG\_DWORD registry setting named **DisableStoreApps** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\WindowsStore** with a value of 1 (one). -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store** > **Turn off Automatic Download and Install of updates**. +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store** > **Turn off Automatic Download and Install of updates**. - -or- + -or- - - Create a new REG\_DWORD registry setting named **AutoDownload** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\WindowsStore** with a value of 2 (two). + - Create a new REG\_DWORD registry setting named **AutoDownload** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\WindowsStore** with a value of 2 (two). ### 26.1 Apps for websites @@ -1990,7 +1988,7 @@ In Windows 10, version 1607, you can stop network traffic related to Windows Upd You can set up Delivery Optimization from the **Settings** UI. -- Go to **Settings** > **Update & security** > **Windows Update** > **Advanced options** > **Choose how updates are delivered**. +- Go to **Settings** > **Update & security** > **Windows Update** > **Advanced options** > **Choose how updates are delivered**. ### 27.2 Delivery Optimization Group Policies @@ -2039,47 +2037,47 @@ For more info about Delivery Optimization in general, see [Windows Update Delive You can turn off Windows Update by setting the following registry entries: -- Add a REG\_DWORD value named **DoNotConnectToWindowsUpdateInternetLocations** to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and set the value to 1. +- Add a REG\_DWORD value named **DoNotConnectToWindowsUpdateInternetLocations** to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and set the value to 1. - -and- + -and- -- Add a REG\_DWORD value named **DisableWindowsUpdateAccess** to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and set the value to 1. +- Add a REG\_DWORD value named **DisableWindowsUpdateAccess** to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and set the value to 1. - -and- + -and- -- Add a REG\_DWORD value named **UseWUServer** to **HKEY\_LOCAL\_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU** and set the value to 1. +- Add a REG\_DWORD value named **UseWUServer** to **HKEY\_LOCAL\_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU** and set the value to 1. - -or- + -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Do not connect to any Windows Update Internet locations**. +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Do not connect to any Windows Update Internet locations**. - -and- + -and- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off access to all Windows Update features**. +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off access to all Windows Update features**. - -and- + -and- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Specify intranet Microsoft update service location** and set the **Set the alternate download server** to " ". +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Specify intranet Microsoft update service location** and set the **Set the alternate download server** to " ". You can turn off automatic updates by doing one of the following. This is not recommended. -- Add a REG\_DWORD value named **AutoDownload** to **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\WindowsStore\\WindowsUpdate** and set the value to 5. +- Add a REG\_DWORD value named **AutoDownload** to **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\WindowsStore\\WindowsUpdate** and set the value to 5. - -or- + -or- -- For Windows 10 only, apply the Update/AllowAutoUpdate MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update), where: +- For Windows 10 only, apply the Update/AllowAutoUpdate MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update), where: - - **0**. Notify the user before downloading the update. + - **0**. Notify the user before downloading the update. - - **1**. Auto install the update and then notify the user to schedule a device restart. + - **1**. Auto install the update and then notify the user to schedule a device restart. - - **2** (default). Auto install and restart. + - **2** (default). Auto install and restart. - - **3**. Auto install and restart at a specified time. + - **3**. Auto install and restart at a specified time. - - **4**. Auto install and restart without end-user control. + - **4**. Auto install and restart without end-user control. - - **5**. Turn off automatic updates. + - **5**. Turn off automatic updates. To learn more, see [Device update management](https://msdn.microsoft.com/library/windows/hardware/dn957432.aspx) and [Configure Automatic Updates by using Group Policy](https://technet.microsoft.com/library/cc720539.aspx). diff --git a/windows/privacy/manage-windows-1709-endpoints.md b/windows/privacy/manage-windows-1709-endpoints.md new file mode 100644 index 0000000000..92c2dfc96e --- /dev/null +++ b/windows/privacy/manage-windows-1709-endpoints.md @@ -0,0 +1,488 @@ +--- +title: Connection endpoints for Windows 10, version 1709 +description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. +keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016 +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.localizationpriority: high +author: danihalfin +ms.author: daniha +ms.date: 6/26/2018 +--- +# Manage connection endpoints for Windows 10, version 1709 + +**Applies to** + +- Windows 10, version 1709 + +Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include: + +- Connecting to Microsoft Office and Windows sites to download the latest app and security updates. +- Connecting to email servers to send and receive email. +- Connecting to the web for every day web browsing. +- Connecting to the cloud to store and access backups. +- Using your location to show a weather forecast. + +This article lists different endpoints that are available on a clean installation of Windows 10, version 1709 and later. +Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). +Where applicable, each endpoint covered in this topic includes a link to specific details about how to control traffic to it. + +We used the following methodology to derive these network endpoints: + +1. Set up the latest version of Windows 10 on a test virtual machine using the default settings. +2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device). +3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. +4. Compile reports on traffic going to public IP addresses. +5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. + +> [!NOTE] +> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. + +## Windows 10 Enterprise connection endpoints + +## Apps + +The following endpoint is used to download updates to the Weather app Live Tile. +If you [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), no Live Tiles will be updated. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| explorer | HTTP | tile-service.weather.microsoft.com | + +The following endpoint is used for OneNote Live Tile. +To turn off traffic for this endpoint, either uninstall OneNote or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. +Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | cdn.onenote.net/livetile/?Language=en-US | + +The following endpoints are used for Twitter updates. +To turn off traffic for these endpoints, either uninstall Twitter or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. +Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | wildcard.twimg.com | +| svchost.exe | | oem.twimg.com/windows/tile.xml | + +The following endpoint is used for Facebook updates. +To turn off traffic for this endpoint, either uninstall Facebook or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. +Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | star-mini.c10r.facebook.com | + +The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office Online. +To turn off traffic for this endpoint, either uninstall the Photos app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. +Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| WindowsApps\Microsoft.Windows.Photos | HTTPS | evoke-windowsservices-tas.msedge.net | + +The following endpoint is used for Candy Crush Saga updates. +To turn off traffic for this endpoint, either uninstall Candy Crush Saga or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. +Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | TLS v1.2 | candycrushsoda.king.com | + +The following endpoint is used for by the Microsoft Wallet app. +To turn off traffic for this endpoint, either uninstall the Wallet app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. +Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| system32\AppHostRegistrationVerifier.exe | HTTPS | wallet.microsoft.com | + +The following endpoint is used by the Groove Music app for update HTTP handler status. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-apps-for-websites), apps for websites won't work and customers who visit websites (such as mediaredirect.microsoft.com) that are registered with their associated app (such as Groove Music) will stay at the website and won't be able to directly launch the app. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| system32\AppHostRegistrationVerifier.exe | HTTPS | mediaredirect.microsoft.com | + +## Cortana and Search + +The following endpoint is used to get images that are used for Microsoft Store suggestions. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block images that are used for Microsoft Store suggestions. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| searchui | HTTPS |store-images.s-microsoft.com | + +The following endpoint is used to update Cortana greetings, tips, and Live Tiles. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block updates to Cortana greetings, tips, and Live Tiles. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| backgroundtaskhost | HTTPS | www.bing.com/client | + +The following endpoint is used to configure parameters, such as how often the Live Tile is updated. It's also used to activate experiments. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), parameters would not be updated and the device would no longer participate in experiments. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| backgroundtaskhost | HTTPS | www.bing.com/proactive | + +The following endpoint is used by Cortana to report diagnostic and diagnostic data information. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), Microsoft won't be aware of issues with Cortana and won't be able to fix them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| searchui
    backgroundtaskhost | HTTPS | www.bing.com/threshold/xls.aspx | + +## Certificates + +The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update), but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. + +Additionally, it is used to download certificates that are publicly known to be fraudulent. +These settings are critical for both Windows security and the overall security of the Internet. +We do not recommend blocking this endpoint. +If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTP | ctldl.windowsupdate.com | + +## Device authentication + +The following endpoint is used to authenticate a device. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), the device will not be authenticated. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | login.live.com/ppsecure | + +## Device metadata + +The following endpoint is used to retrieve device metadata. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-devinst), metadata will not be updated for the device. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | dmd.metaservices.microsoft.com.akadns.net | + +## Diagnostic Data + +The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | | cy2.vortex.data.microsoft.com.akadns.net | + +The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | | v10.vortex-win.data.microsoft.com/collect/v1 | + +The following endpoints are used by Windows Error Reporting. +To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| wermgr | | watson.telemetry.microsoft.com | +| | TLS v1.2 | modern.watson.data.microsoft.com.akadns.net | + +## Font streaming + +The following endpoints are used to download fonts on demand. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#font-streaming), you will not be able to download fonts on demand. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | | fs.microsoft.com | +| | | fs.microsoft.com/fs/windows/config.json | + +## Licensing + +The following endpoint is used for online activation and some app licensing. +To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| licensemanager | HTTPS | licensing.mp.microsoft.com/v7.0/licenses/content | + +## Location + +The following endpoint is used for location data. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location), apps cannot use location data. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | location-inference-westus.cloudapp.net | + +## Maps + +The following endpoint is used to check for updates to maps that have been downloaded for offline use. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps), offline maps will not be updated. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | *g.akamaiedge.net | + +## Microsoft account + +The following endpoints are used for Microsoft accounts to sign in. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account), users cannot sign in with Microsoft accounts. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | login.msa.akadns6.net | +| system32\Auth.Host.exe | HTTPS | auth.gfx.ms | + +## Microsoft Store + +The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | *.wns.windows.com | + +The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store. +To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | storecatalogrevocation.storequality.microsoft.com | + +The following endpoints are used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | img-prod-cms-rt-microsoft-com.akamaized.net | + +The following endpoints are used to communicate with Microsoft Store. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | storeedgefd.dsx.mp.microsoft.com | +| | HTTP | pti.store.microsoft.com | +||TLS v1.2|cy2.\*.md.mp.microsoft.com.\*.| + +## Network Connection Status Indicator (NCSI) + +Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi), NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | www.msftconnecttest.com/connecttest.txt | + +## Office + +The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office Online. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity). +You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. +If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | *.a-msedge.net | +| hxstr | | *.c-msedge.net | +| | | *.e-msedge.net | +| | | *.s-msedge.net | + +The following endpoint is used to connect to the Office 365 portal's shared infrastructure, including Office Online. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity). +You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. +If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| system32\Auth.Host.exe | HTTPS | outlook.office365.com | + +The following endpoint is OfficeHub traffic used to get the metadata of Office apps. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +|Windows Apps\Microsoft.Windows.Photos|HTTPS|client-office365-tas.msedge.net| + +## OneDrive + +The following endpoint is a redirection service that’s used to automatically update URLs. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive), anything that relies on g.live.com to get updated URL information will no longer work. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| onedrive | HTTP \ HTTPS | g.live.com/1rewlive5skydrive/ODSUProduction | + +The following endpoint is used by OneDrive for Business to download and verify app updates. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US). +To turn off traffic for this endpoint, uninstall OneDrive for Business. In this case, your device will not able to get OneDrive for Business app updates. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| onedrive | HTTPS | oneclient.sfx.ms | + +## Settings + +The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| dmclient | | cy2.settings.data.microsoft.com.akadns.net | + +The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| dmclient | HTTPS | settings.data.microsoft.com | + +The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as Windows Connected User Experiences and Telemetry component and Windows Insider Program use it. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | settings-win.data.microsoft.com | + +## Skype + +The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +|microsoft.windowscommunicationsapps.exe | HTTPS | config.edge.skype.com | + + + +## Windows Defender + +The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), the device will not use Cloud-based Protection. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | wdcp.microsoft.com | + +The following endpoints are used for Windows Defender definition updates. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), definitions will not be updated. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | definitionupdates.microsoft.com | +|MpCmdRun.exe|HTTPS|go.microsoft.com | + +## Windows Spotlight + +The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight), Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see [Windows Spotlight](/windows/configuration/windows-spotlight). + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| backgroundtaskhost | HTTPS | arc.msn.com | +| backgroundtaskhost | | g.msn.com.nsatc.net | +| |TLS v1.2| *.search.msn.com | +| | HTTPS | ris.api.iris.microsoft.com | +| | HTTPS | query.prod.cms.rt.microsoft.com | + +## Windows Update + +The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates), Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | *.prod.do.dsp.mp.microsoft.com | + +The following endpoints are used to download operating system patches and updates. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to download updates for the operating system. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTP | *.windowsupdate.com | +| | HTTP | fg.download.windowsupdate.com.c.footprint.net | + +The following endpoint is used by the Highwinds Content Delivery Network to perform Windows updates. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not perform updates. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | cds.d2s7q6s2.hwcdn.net | + +The following endpoints are used by the Verizon Content Delivery Network to perform Windows updates. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not perform updates. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | *wac.phicdn.net | +| | | *wac.edgecastcdn.net | + +The following endpoint is used to download apps and Windows Insider Preview builds from the Microsoft Store. Time Limited URL (TLU) is a mechanism for protecting the content. For example, it prevents someone from copying the URL and then getting access to the app that the person has not acquired). +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the updating functionality on this device is essentially in a disabled state, resulting in user unable to get apps from the Store, get latest version of Windows, and so on. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | | *.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | + +The following endpoint is used to download apps from the Microsoft Store. It's used as part of calculating the right ranges for apps. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), users of the device will not able to get apps from the Microsoft Store. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | | emdl.ws.microsoft.com | + +The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | fe2.update.microsoft.com | +| svchost | | fe3.delivery.mp.microsoft.com | +| | | fe3.delivery.dsp.mp.microsoft.com.nsatc.net | +| svchost | HTTPS | sls.update.microsoft.com | + +The following endpoint is used for content regulation. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | tsfe.trafficshaping.dsp.mp.microsoft.com | + +The following endpoints are used to download content. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), you will block any content from being downloaded. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | a122.dscd.akamai.net | +| | | a1621.g.akamai.net | + +## Microsoft forward link redirection service (FWLink) + +The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. + +If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +|Various|HTTPS|go.microsoft.com| + +## Other Windows 10 versions and editions + +To view endpoints for other versions of Windows 10 enterprise, see: +- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md) +- [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md) + +To view endpoints for non-Enterprise Windows 10 editions, see: +- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md) +- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md) + +## Related links + +- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US) +- [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/intune/get-started/network-infrastructure-requirements-for-microsoft-intune) \ No newline at end of file diff --git a/windows/privacy/manage-windows-endpoints.md b/windows/privacy/manage-windows-1803-endpoints.md similarity index 68% rename from windows/privacy/manage-windows-endpoints.md rename to windows/privacy/manage-windows-1803-endpoints.md index c324f877dd..5cbbfcd3d1 100644 --- a/windows/privacy/manage-windows-endpoints.md +++ b/windows/privacy/manage-windows-1803-endpoints.md @@ -1,5 +1,5 @@ --- -title: Windows 10 connection endpoints +title: Connection endpoints for Windows 10, version 1803 description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016 ms.prod: w10 @@ -10,11 +10,11 @@ author: danihalfin ms.author: daniha ms.date: 6/26/2018 --- -# Manage Windows 10 connection endpoints +# Manage connection endpoints for Windows 10, version 1803 **Applies to** -- Windows 10, version 1709 and later +- Windows 10, version 1803 Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include: @@ -46,102 +46,102 @@ We used the following methodology to derive these network endpoints: The following endpoint is used to download updates to the Weather app Live Tile. If you [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), no Live Tiles will be updated. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| explorer | HTTP | tile-service.weather.microsoft.com | 1709 | -| | HTTP | blob.weather.microsoft.com | 1803 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| explorer | HTTP | tile-service.weather.microsoft.com | +| | HTTP | blob.weather.microsoft.com | The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | HTTPS | cdn.onenote.net/livetile/?Language=en-US | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | cdn.onenote.net/livetile/?Language=en-US | The following endpoints are used for Twitter updates. To turn off traffic for these endpoints, either uninstall Twitter or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | HTTPS | wildcard.twimg.com | 1709 | -| svchost.exe | | oem.twimg.com/windows/tile.xml | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | wildcard.twimg.com | +| svchost.exe | | oem.twimg.com/windows/tile.xml | The following endpoint is used for Facebook updates. To turn off traffic for this endpoint, either uninstall Facebook or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | | star-mini.c10r.facebook.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | star-mini.c10r.facebook.com | The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office Online. To turn off traffic for this endpoint, either uninstall the Photos app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| WindowsApps\Microsoft.Windows.Photos | HTTPS | evoke-windowsservices-tas.msedge.net | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| WindowsApps\Microsoft.Windows.Photos | HTTPS | evoke-windowsservices-tas.msedge.net | The following endpoint is used for Candy Crush Saga updates. To turn off traffic for this endpoint, either uninstall Candy Crush Saga or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | TLS v1.2 | candycrushsoda.king.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | TLS v1.2 | candycrushsoda.king.com | The following endpoint is used for by the Microsoft Wallet app. To turn off traffic for this endpoint, either uninstall the Wallet app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| system32\AppHostRegistrationVerifier.exe | HTTPS | wallet.microsoft.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| system32\AppHostRegistrationVerifier.exe | HTTPS | wallet.microsoft.com | The following endpoint is used by the Groove Music app for update HTTP handler status. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-apps-for-websites), apps for websites won't work and customers who visit websites (such as mediaredirect.microsoft.com) that are registered with their associated app (such as Groove Music) will stay at the website and won't be able to directly launch the app. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| system32\AppHostRegistrationVerifier.exe | HTTPS | mediaredirect.microsoft.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| system32\AppHostRegistrationVerifier.exe | HTTPS | mediaredirect.microsoft.com | ## Cortana and Search The following endpoint is used to get images that are used for Microsoft Store suggestions. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block images that are used for Microsoft Store suggestions. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| searchui | HTTPS |store-images.s-microsoft.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| searchui | HTTPS |store-images.s-microsoft.com | The following endpoint is used to update Cortana greetings, tips, and Live Tiles. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block updates to Cortana greetings, tips, and Live Tiles. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| backgroundtaskhost | HTTPS | www.bing.com/client | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| backgroundtaskhost | HTTPS | www.bing.com/client | The following endpoint is used to configure parameters, such as how often the Live Tile is updated. It's also used to activate experiments. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), parameters would not be updated and the device would no longer participate in experiments. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| backgroundtaskhost | HTTPS | www.bing.com/proactive | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| backgroundtaskhost | HTTPS | www.bing.com/proactive | The following endpoint is used by Cortana to report diagnostic and diagnostic data information. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), Microsoft won't be aware of issues with Cortana and won't be able to fix them. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| searchui
    backgroundtaskhost | HTTPS | www.bing.com/threshold/xls.aspx | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| searchui
    backgroundtaskhost | HTTPS | www.bing.com/threshold/xls.aspx | ## Certificates @@ -152,142 +152,142 @@ These settings are critical for both Windows security and the overall security o We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| svchost | HTTP | ctldl.windowsupdate.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTP | ctldl.windowsupdate.com | ## Device authentication The following endpoint is used to authenticate a device. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), the device will not be authenticated. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | HTTPS | login.live.com/ppsecure | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | login.live.com/ppsecure | ## Device metadata The following endpoint is used to retrieve device metadata. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-devinst), metadata will not be updated for the device. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | | dmd.metaservices.microsoft.com.akadns.net | 1709 | -| | HTTP | dmd.metaservices.microsoft.com | 1803 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | dmd.metaservices.microsoft.com.akadns.net | +| | HTTP | dmd.metaservices.microsoft.com | ## Diagnostic Data The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| svchost | | cy2.vortex.data.microsoft.com.akadns.net | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | | cy2.vortex.data.microsoft.com.akadns.net | The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| svchost | | v10.vortex-win.data.microsoft.com/collect/v1 | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | | v10.vortex-win.data.microsoft.com/collect/v1 | The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| wermgr | | watson.telemetry.microsoft.com | 1709 | -| | TLS v1.2 | modern.watson.data.microsoft.com.akadns.net | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| wermgr | | watson.telemetry.microsoft.com | +| | TLS v1.2 | modern.watson.data.microsoft.com.akadns.net | ## Font streaming The following endpoints are used to download fonts on demand. If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#font-streaming), you will not be able to download fonts on demand. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| svchost | | fs.microsoft.com | 1709 | -| | | fs.microsoft.com/fs/windows/config.json | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | | fs.microsoft.com | +| | | fs.microsoft.com/fs/windows/config.json | ## Licensing The following endpoint is used for online activation and some app licensing. To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| licensemanager | HTTPS | licensing.mp.microsoft.com/v7.0/licenses/content | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| licensemanager | HTTPS | licensing.mp.microsoft.com/v7.0/licenses/content | ## Location The following endpoint is used for location data. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location), apps cannot use location data. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | HTTP | location-inference-westus.cloudapp.net | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | location-inference-westus.cloudapp.net | ## Maps The following endpoint is used to check for updates to maps that have been downloaded for offline use. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps), offline maps will not be updated. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| svchost | HTTPS | *g.akamaiedge.net | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | *g.akamaiedge.net | ## Microsoft account The following endpoints are used for Microsoft accounts to sign in. If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account), users cannot sign in with Microsoft accounts. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | | login.msa.akadns6.net | 1709 | -| system32\Auth.Host.exe | HTTPS | auth.gfx.ms | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | login.msa.akadns6.net | +| system32\Auth.Host.exe | HTTPS | auth.gfx.ms | ## Microsoft Store The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | | *.wns.windows.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | *.wns.windows.com | The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | HTTP | storecatalogrevocation.storequality.microsoft.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | storecatalogrevocation.storequality.microsoft.com | The following endpoints are used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | HTTPS | img-prod-cms-rt-microsoft-com.akamaized.net | 1709 | -| backgroundtransferhost | HTTPS | store-images.microsoft.com | 1803 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | img-prod-cms-rt-microsoft-com.akamaized.net | +| backgroundtransferhost | HTTPS | store-images.microsoft.com | The following endpoints are used to communicate with Microsoft Store. If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | HTTP | storeedgefd.dsx.mp.microsoft.com | 1709 | -| | HTTP | pti.store.microsoft.com | 1709 | -||TLS v1.2|cy2.\*.md.mp.microsoft.com.\*.| 1709 | -| svchost | HTTPS | displaycatalog.mp.microsoft.com | 1803 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | storeedgefd.dsx.mp.microsoft.com | +| | HTTP | pti.store.microsoft.com | +||TLS v1.2|cy2.\*.md.mp.microsoft.com.\*.| +| svchost | HTTPS | displaycatalog.mp.microsoft.com | ## Network Connection Status Indicator (NCSI) Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi), NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | HTTP | www.msftconnecttest.com/connecttest.txt | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | www.msftconnecttest.com/connecttest.txt | ## Office @@ -295,74 +295,74 @@ The following endpoints are used to connect to the Office 365 portal's shared in You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | | *.a-msedge.net | 1709 | -| hxstr | | *.c-msedge.net | 1709 | -| | | *.e-msedge.net | 1709 | -| | | *.s-msedge.net | 1709 | -| | HTTPS | ocos-office365-s2s.msedge.net | 1803 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | *.a-msedge.net | +| hxstr | | *.c-msedge.net | +| | | *.e-msedge.net | +| | | *.s-msedge.net | +| | HTTPS | ocos-office365-s2s.msedge.net | The following endpoint is used to connect to the Office 365 portal's shared infrastructure, including Office Online. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity). You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| system32\Auth.Host.exe | HTTPS | outlook.office365.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| system32\Auth.Host.exe | HTTPS | outlook.office365.com | The following endpoint is OfficeHub traffic used to get the metadata of Office apps. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -|Windows Apps\Microsoft.Windows.Photos|HTTPS|client-office365-tas.msedge.net| 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +|Windows Apps\Microsoft.Windows.Photos|HTTPS|client-office365-tas.msedge.net| ## OneDrive The following endpoint is a redirection service that’s used to automatically update URLs. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive), anything that relies on g.live.com to get updated URL information will no longer work. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| onedrive | HTTP \ HTTPS | g.live.com/1rewlive5skydrive/ODSUProduction | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| onedrive | HTTP \ HTTPS | g.live.com/1rewlive5skydrive/ODSUProduction | The following endpoint is used by OneDrive for Business to download and verify app updates. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US). To turn off traffic for this endpoint, uninstall OneDrive for Business. In this case, your device will not able to get OneDrive for Business app updates. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| onedrive | HTTPS | oneclient.sfx.ms | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| onedrive | HTTPS | oneclient.sfx.ms | ## Settings The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| dmclient | | cy2.settings.data.microsoft.com.akadns.net | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| dmclient | | cy2.settings.data.microsoft.com.akadns.net | The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| dmclient | HTTPS | settings.data.microsoft.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| dmclient | HTTPS | settings.data.microsoft.com | The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as Windows Connected User Experiences and Telemetry component and Windows Insider Program use it. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| svchost | HTTPS | settings-win.data.microsoft.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | settings-win.data.microsoft.com | ## Skype The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -|microsoft.windowscommunicationsapps.exe | HTTPS | config.edge.skype.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +|microsoft.windowscommunicationsapps.exe | HTTPS | config.edge.skype.com | @@ -371,102 +371,102 @@ The following endpoint is used to retrieve Skype configuration values. To turn o The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), the device will not use Cloud-based Protection. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | | wdcp.microsoft.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | wdcp.microsoft.com | The following endpoints are used for Windows Defender definition updates. If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), definitions will not be updated. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | | definitionupdates.microsoft.com | 1709 | -|MpCmdRun.exe|HTTPS|go.microsoft.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | definitionupdates.microsoft.com | +|MpCmdRun.exe|HTTPS|go.microsoft.com | ## Windows Spotlight The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight), Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see [Windows Spotlight](/windows/configuration/windows-spotlight). -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| backgroundtaskhost | HTTPS | arc.msn.com | 1709 | -| backgroundtaskhost | | g.msn.com.nsatc.net | 1709 | -| |TLS v1.2| *.search.msn.com | 1709 | -| | HTTPS | ris.api.iris.microsoft.com | 1709 | -| | HTTPS | query.prod.cms.rt.microsoft.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| backgroundtaskhost | HTTPS | arc.msn.com | +| backgroundtaskhost | | g.msn.com.nsatc.net | +| |TLS v1.2| *.search.msn.com | +| | HTTPS | ris.api.iris.microsoft.com | +| | HTTPS | query.prod.cms.rt.microsoft.com | ## Windows Update The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates), Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| svchost | HTTPS | *.prod.do.dsp.mp.microsoft.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | *.prod.do.dsp.mp.microsoft.com | The following endpoints are used to download operating system patches and updates. If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to download updates for the operating system. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| svchost | HTTP | *.windowsupdate.com | 1709 | -| | HTTP | fg.download.windowsupdate.com.c.footprint.net | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTP | *.windowsupdate.com | +| | HTTP | fg.download.windowsupdate.com.c.footprint.net | The following endpoint is used by the Highwinds Content Delivery Network to perform Windows updates. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not perform updates. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | | cds.d2s7q6s2.hwcdn.net | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | cds.d2s7q6s2.hwcdn.net | The following endpoints are used by the Verizon Content Delivery Network to perform Windows updates. If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not perform updates. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | HTTP | *wac.phicdn.net | 1709 | -| | | *wac.edgecastcdn.net | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | *wac.phicdn.net | +| | | *wac.edgecastcdn.net | The following endpoint is used to download apps and Windows Insider Preview builds from the Microsoft Store. Time Limited URL (TLU) is a mechanism for protecting the content. For example, it prevents someone from copying the URL and then getting access to the app that the person has not acquired). If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the updating functionality on this device is essentially in a disabled state, resulting in user unable to get apps from the Store, get latest version of Windows, and so on. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| svchost | | *.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | | *.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | The following endpoint is used to download apps from the Microsoft Store. It's used as part of calculating the right ranges for apps. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), users of the device will not able to get apps from the Microsoft Store. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| svchost | | emdl.ws.microsoft.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | | emdl.ws.microsoft.com | The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| svchost | HTTPS | fe2.update.microsoft.com | 1709 | -| svchost | | fe3.delivery.mp.microsoft.com | 1709 | -| | | fe3.delivery.dsp.mp.microsoft.com.nsatc.net | 1709 | -| svchost | HTTPS | sls.update.microsoft.com | 1709 | -| | HTTP | *.dl.delivery.mp.microsoft.com | 1803 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | fe2.update.microsoft.com | +| svchost | | fe3.delivery.mp.microsoft.com | +| | | fe3.delivery.dsp.mp.microsoft.com.nsatc.net | +| svchost | HTTPS | sls.update.microsoft.com | +| | HTTP | *.dl.delivery.mp.microsoft.com | The following endpoint is used for content regulation. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| svchost | HTTPS | tsfe.trafficshaping.dsp.mp.microsoft.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | tsfe.trafficshaping.dsp.mp.microsoft.com | The following endpoints are used to download content. If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), you will block any content from being downloaded. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | | a122.dscd.akamai.net | 1709 | -| | | a1621.g.akamai.net | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | a122.dscd.akamai.net | +| | | a1621.g.akamai.net | ## Microsoft forward link redirection service (FWLink) @@ -474,12 +474,16 @@ The following endpoint is used by the Microsoft forward link redirection service If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -|Various|HTTPS|go.microsoft.com| 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +|Various|HTTPS|go.microsoft.com| ## Other Windows 10 editions +To view endpoints for other versions of Windows 10 enterprise, see: +- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md) +- [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md) + To view endpoints for non-Enterprise Windows 10 editions, see: - [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md) - [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md) diff --git a/windows/privacy/manage-windows-1809-endpoints.md b/windows/privacy/manage-windows-1809-endpoints.md new file mode 100644 index 0000000000..dd3a50a2fe --- /dev/null +++ b/windows/privacy/manage-windows-1809-endpoints.md @@ -0,0 +1,524 @@ +--- +title: Connection endpoints for Windows 10, version 1803 +description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. +keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016 +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.localizationpriority: high +author: danihalfin +ms.author: daniha +ms.date: 6/26/2018 +--- +# Manage connection endpoints for Windows 10, version 1809 + +**Applies to** + +- Windows 10, version 1809 + +Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include: + +- Connecting to Microsoft Office and Windows sites to download the latest app and security updates. +- Connecting to email servers to send and receive email. +- Connecting to the web for every day web browsing. +- Connecting to the cloud to store and access backups. +- Using your location to show a weather forecast. + +This article lists different endpoints that are available on a clean installation of Windows 10, version 1709 and later. +Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). +Where applicable, each endpoint covered in this topic includes a link to specific details about how to control traffic to it. + +We used the following methodology to derive these network endpoints: + +1. Set up the latest version of Windows 10 on a test virtual machine using the default settings. +2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device). +3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. +4. Compile reports on traffic going to public IP addresses. +5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. + +> [!NOTE] +> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. + +## Windows 10 Enterprise connection endpoints + +## Apps + +The following endpoint is used to download updates to the Weather app Live Tile. +If you [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), no Live Tiles will be updated. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| explorer | HTTP | tile-service.weather.microsoft.com | +| | HTTP | blob.weather.microsoft.com | + +The following endpoint is used for OneNote Live Tile. +To turn off traffic for this endpoint, either uninstall OneNote or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. +Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | cdn.onenote.net/livetile/?Language=en-US | + +The following endpoints are used for Twitter updates. +To turn off traffic for these endpoints, either uninstall Twitter or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. +Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | wildcard.twimg.com | +| svchost.exe | | oem.twimg.com/windows/tile.xml | + +The following endpoint is used for Facebook updates. +To turn off traffic for this endpoint, either uninstall Facebook or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. +Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | star-mini.c10r.facebook.com | + +The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office Online. +To turn off traffic for this endpoint, either uninstall the Photos app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. +Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| WindowsApps\Microsoft.Windows.Photos | HTTPS | evoke-windowsservices-tas.msedge.net | + +The following endpoint is used for Candy Crush Saga updates. +To turn off traffic for this endpoint, either uninstall Candy Crush Saga or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. +Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | TLS v1.2 | candycrushsoda.king.com | + +The following endpoint is used for by the Microsoft Wallet app. +To turn off traffic for this endpoint, either uninstall the Wallet app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. +Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| system32\AppHostRegistrationVerifier.exe | HTTPS | wallet.microsoft.com | + +The following endpoint is used by the Groove Music app for update HTTP handler status. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-apps-for-websites), apps for websites won't work and customers who visit websites (such as mediaredirect.microsoft.com) that are registered with their associated app (such as Groove Music) will stay at the website and won't be able to directly launch the app. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| system32\AppHostRegistrationVerifier.exe | HTTPS | mediaredirect.microsoft.com | + +The following endpoints are used when using the Whiteboard app. +To turn off traffic for this endpoint [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | wbd.ms | +| | HTTPS | int.whiteboard.microsoft.com | +| | HTTPS | whiteboard.microsoft.com | +| | HTTP / HTTPS | whiteboard.ms | + +## Cortana and Search + +The following endpoint is used to get images that are used for Microsoft Store suggestions. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block images that are used for Microsoft Store suggestions. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| searchui | HTTPS |store-images.s-microsoft.com | + +The following endpoint is used to update Cortana greetings, tips, and Live Tiles. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block updates to Cortana greetings, tips, and Live Tiles. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| backgroundtaskhost | HTTPS | www.bing.com/client | + +The following endpoint is used to configure parameters, such as how often the Live Tile is updated. It's also used to activate experiments. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), parameters would not be updated and the device would no longer participate in experiments. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| backgroundtaskhost | HTTPS | www.bing.com/proactive | + +The following endpoint is used by Cortana to report diagnostic and diagnostic data information. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), Microsoft won't be aware of issues with Cortana and won't be able to fix them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| searchui
    backgroundtaskhost | HTTPS | www.bing.com/threshold/xls.aspx | + +## Certificates + +The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update), but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. + +Additionally, it is used to download certificates that are publicly known to be fraudulent. +These settings are critical for both Windows security and the overall security of the Internet. +We do not recommend blocking this endpoint. +If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTP | ctldl.windowsupdate.com | + +## Device authentication + +The following endpoint is used to authenticate a device. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), the device will not be authenticated. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | login.live.com/ppsecure | + +## Device metadata + +The following endpoint is used to retrieve device metadata. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-devinst), metadata will not be updated for the device. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | dmd.metaservices.microsoft.com.akadns.net | +| | HTTP | dmd.metaservices.microsoft.com | + +## Diagnostic Data + +The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | | cy2.vortex.data.microsoft.com.akadns.net | + +The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | v10.vortex-win.data.microsoft.com/collect/v1 | + +The following endpoints are used by Windows Error Reporting. +To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| wermgr | | watson.telemetry.microsoft.com | +| | TLS v1.2 | modern.watson.data.microsoft.com.akadns.net | + +## Font streaming + +The following endpoints are used to download fonts on demand. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#font-streaming), you will not be able to download fonts on demand. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | | fs.microsoft.com | +| | | fs.microsoft.com/fs/windows/config.json | + +## Licensing + +The following endpoint is used for online activation and some app licensing. +To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| licensemanager | HTTPS | licensing.mp.microsoft.com/v7.0/licenses/content | + +## Location + +The following endpoint is used for location data. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location), apps cannot use location data. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | location-inference-westus.cloudapp.net | +| | HTTPS | inference.location.live.net | + +## Maps + +The following endpoint is used to check for updates to maps that have been downloaded for offline use. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps), offline maps will not be updated. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | *g.akamaiedge.net | + +## Microsoft account + +The following endpoints are used for Microsoft accounts to sign in. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account), users cannot sign in with Microsoft accounts. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | login.msa.akadns6.net | +| system32\Auth.Host.exe | HTTPS | auth.gfx.ms | +| | | us.configsvc1.live.com.akadns.net | + +## Microsoft Store + +The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | *.wns.windows.com | + +The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store. +To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | storecatalogrevocation.storequality.microsoft.com | + +The following endpoints are used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | img-prod-cms-rt-microsoft-com.akamaized.net | +| backgroundtransferhost | HTTPS | store-images.microsoft.com | + +The following endpoints are used to communicate with Microsoft Store. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | storeedgefd.dsx.mp.microsoft.com | +| | HTTP \ HTTPS | pti.store.microsoft.com | +||TLS v1.2|cy2.\*.md.mp.microsoft.com.\*.| +| svchost | HTTPS | displaycatalog.mp.microsoft.com | + +## Network Connection Status Indicator (NCSI) + +Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi), NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | www.msftconnecttest.com/connecttest.txt | + +## Office + +The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office Online. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity). +You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. +If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | *.a-msedge.net | +| hxstr | | *.c-msedge.net | +| | | *.e-msedge.net | +| | | *.s-msedge.net | +| | HTTPS | ocos-office365-s2s.msedge.net | +| | HTTPS | nexusrules.officeapps.live.com | +| | HTTPS | officeclient.microsoft.com | + +The following endpoint is used to connect to the Office 365 portal's shared infrastructure, including Office Online. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity). +You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. +If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| system32\Auth.Host.exe | HTTPS | outlook.office365.com | + +The following endpoint is OfficeHub traffic used to get the metadata of Office apps. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +|Windows Apps\Microsoft.Windows.Photos|HTTPS|client-office365-tas.msedge.net| + +The following endpoint is used to connect the Office To-Do app to it's cloud service. +To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| |HTTPS|to-do.microsoft.com| + +## OneDrive + +The following endpoint is a redirection service that’s used to automatically update URLs. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive), anything that relies on g.live.com to get updated URL information will no longer work. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| onedrive | HTTP \ HTTPS | g.live.com/1rewlive5skydrive/ODSUProduction | + +The following endpoint is used by OneDrive for Business to download and verify app updates. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US). +To turn off traffic for this endpoint, uninstall OneDrive for Business. In this case, your device will not able to get OneDrive for Business app updates. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| onedrive | HTTPS | oneclient.sfx.ms | + +## Settings + +The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| dmclient | | cy2.settings.data.microsoft.com.akadns.net | + +The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| dmclient | HTTPS | settings.data.microsoft.com | + +The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as Windows Connected User Experiences and Telemetry component and Windows Insider Program use it. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | settings-win.data.microsoft.com | + +## Skype + +The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +|microsoft.windowscommunicationsapps.exe | HTTPS | config.edge.skype.com | +| | HTTPS | browser.pipe.aria.microsoft.com | +| | | skypeecs-prod-usw-0-b.cloudapp.net | + +## Windows Defender + +The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), the device will not use Cloud-based Protection. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | wdcp.microsoft.com | + +The following endpoints are used for Windows Defender definition updates. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), definitions will not be updated. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | definitionupdates.microsoft.com | +|MpCmdRun.exe|HTTPS|go.microsoft.com | + +The following endpoints are used for Windows Defender Smartscreen reporting and notifications. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender-smartscreen), Smartscreen notifications will no appear. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | ars.smartscreen.microsoft.com | +| | HTTPS | unitedstates.smartscreen-prod.microsoft.com | +| | | smartscreen-sn3p.smartscreen.microsoft.com | + +## Windows Spotlight + +The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight), Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see [Windows Spotlight](/windows/configuration/windows-spotlight). + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| backgroundtaskhost | HTTPS | arc.msn.com | +| backgroundtaskhost | | g.msn.com.nsatc.net | +| |TLS v1.2| *.search.msn.com | +| | HTTPS | ris.api.iris.microsoft.com | +| | HTTPS | query.prod.cms.rt.microsoft.com | + +## Windows Update + +The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates), Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | *.prod.do.dsp.mp.microsoft.com | + +The following endpoints are used to download operating system patches and updates. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to download updates for the operating system. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTP | *.windowsupdate.com | +| | HTTP | fg.download.windowsupdate.com.c.footprint.net | + +The following endpoint is used by the Highwinds Content Delivery Network to perform Windows updates. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not perform updates. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | cds.d2s7q6s2.hwcdn.net | + +The following endpoints are used by the Verizon Content Delivery Network to perform Windows updates. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not perform updates. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | *wac.phicdn.net | +| | | *wac.edgecastcdn.net | + +The following endpoint is used to download apps and Windows Insider Preview builds from the Microsoft Store. Time Limited URL (TLU) is a mechanism for protecting the content. For example, it prevents someone from copying the URL and then getting access to the app that the person has not acquired). +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the updating functionality on this device is essentially in a disabled state, resulting in user unable to get apps from the Store, get latest version of Windows, and so on. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | | *.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | + +The following endpoint is used to download apps from the Microsoft Store. It's used as part of calculating the right ranges for apps. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), users of the device will not able to get apps from the Microsoft Store. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | | emdl.ws.microsoft.com | + +The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | fe2.update.microsoft.com | +| svchost | | fe3.delivery.mp.microsoft.com | +| | | fe3.delivery.dsp.mp.microsoft.com.nsatc.net | +| svchost | HTTPS | sls.update.microsoft.com | +| | HTTP | *.dl.delivery.mp.microsoft.com | + +The following endpoint is used for content regulation. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | tsfe.trafficshaping.dsp.mp.microsoft.com | + +The following endpoints are used to download content. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), you will block any content from being downloaded. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | a122.dscd.akamai.net | +| | | a1621.g.akamai.net | + +## Microsoft forward link redirection service (FWLink) + +The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. + +If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +|Various|HTTPS|go.microsoft.com| + +## Other Windows 10 editions + +To view endpoints for other versions of Windows 10 enterprise, see: +- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md) +- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md) + +To view endpoints for non-Enterprise Windows 10 editions, see: +- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md) +- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md) + +## Related links + +- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US) +- [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/intune/get-started/network-infrastructure-requirements-for-microsoft-intune) \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md index 7ae1ab1d14..a3d175023d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md @@ -19,7 +19,7 @@ Windows Hello for Business authentication is passwordless, two-factor authentica Azure Active Directory joined devices authenticate to Azure during sign-in and can optional authenticate to Active Directory. Hybrid Azure Active Directory joined devices authenticate to Active Directory during sign-in, and authenticate to Azure Active Directory in the background.
    [Azure AD join authentication to Azure Active Directory](#Azure-AD-join-authentication-to-Azure-Active-Directory)
    -[Azure AD join authentication to Active Direcotry using a Key](#Azure-AD-join-authentication-to-Active-Direcotry-using-a-Key)
    +[Azure AD join authentication to Active Directory using a Key](#Azure-AD-join-authentication-to-Active-Directory-using-a-Key)
    [Azure AD join authentication to Active Directory using a Certificate](#Azure-AD-join-authentication-to-Active-Directory-using-a-Certificate)
    [Hybrid Azure AD join authentication using a Key](#Hybrid-Azure-AD-join-authentication-using-a-Key)
    [Hybrid Azure AD join authentication using a Certificate](#Hybrid-Azure-AD-join-authentication-using-a-Certificate)
    @@ -38,7 +38,7 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c [Return to top](#Windows-Hello-for-Business-and-Authentication) ## Azure AD join authentication to Active Directory using a Key -![Azure AD join authentication to Active Direotory using a Key](images/howitworks/auth-aadj-keytrust-kerb.png) +![Azure AD join authentication to Active Directory using a Key](images/howitworks/auth-aadj-keytrust-kerb.png) | Phase | Description | diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md index ed91c63c54..20620f9410 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md @@ -75,7 +75,7 @@ If you do not have an existing public key infrastructure, please review [Certifi > [!IMPORTANT] > For Azure AD joined device to authenticate to and use on-premises resources, ensure you: -> * Install the root certificate authority certificate for your organization in the user's trusted root certifcate store. +> * Install the root certificate authority certificate for your organization in the user's trusted root certificate store. > * Publish your certificate revocation list to a location that is available to Azure AD joined devices, such as a web-based url. ### Section Review ### @@ -84,7 +84,7 @@ If you do not have an existing public key infrastructure, please review [Certifi > * Minimum Windows Server 2012 Certificate Authority. > * Enterprise Certificate Authority. > * Functioning public key infrastructure. -> * Root certifcate authority certificate (Azure AD Joined devices). +> * Root certificate authority certificate (Azure AD Joined devices). > * Highly available certificate revocation list (Azure AD Joined devices). ## Azure Active Directory ## @@ -131,7 +131,7 @@ Alternatively, you can configure Windows Server 2016 Active Directory Federation > * Review the overview and uses of Azure Multifactor Authentication. > * Review your Azure Active Directory subscription for Azure Multifactor Authentication. > * Create an Azure Multifactor Authentication Provider, if necessary. -> * Configure Azure Multufactor Authentiation features and settings. +> * Configure Azure Multifactor Authentiation features and settings. > * Understand the different User States and their effect on Azure Multifactor Authentication. > * Consider using Azure Multifactor Authentication or a third-party multifactor authentication provider with Windows Server Active Directory Federation Services, if necessary. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md index 621818ce66..70dd6093e7 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md @@ -19,7 +19,7 @@ ms.date: 08/19/2018 - Key trust -## Directory Syncrhonization +## Directory Synchronization In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure. Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory. diff --git a/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md b/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md new file mode 100644 index 0000000000..fb9afb773b --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md @@ -0,0 +1,31 @@ +--- +title: Microsoft-compatible security key +description: Windows10 enables users to sign in to their device using a security key. How is a Microsoft-compatible security key different (and better) than any other FIDO2 security key +keywords: FIDO2, security key, CTAP, Hello, WHFB +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +author: aabhathipsay +ms.author: aathipsa +ms.localizationpriority: medium +ms.date: 11/14/2018 +--- +# What is a Microsoft-compatible security key? +> [!Warning] +> Some information relates to pre-released product that may change before it is commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +Microsoft has been aligned with the [FIDO Alliance](https://fidoalliance.org/) with a mission to replace passwords with an easy to use, strong 2FA credential. We have been working with our partners to extensively test and deliver a seamless and secure authentication experience to end users. + +The [FIDO2 CTAP specification](https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-client-to-authenticator-protocol-v2.0-id-20180227.html) contains a few optional features and extensions which are crucial to provide that seamless and secure experience. + +A security key **MUST** implement the following features and extensions from the FIDO2 CTAP protocol to be Microsoft-compatible: + +| #
    | Feature / Extension trust
    | Why is this required?
    | +| --- | --- | --- | +| 1 | Resident key | This feature enables the security key to be portable, where your credential is stored on the security key | +| 2 | Client pin | This feature enables you to protect your credentials with a second factor and applies to security keys that do not have an user interface| +| 3 | hmac-secret | This extension ensures you can sign-in to your device when it's off-line or in airplane mode | +| 4 | Multiple accounts per RP | This feature ensures you can use the same security key across multiple services like Microsoft Account (MSA) and Azure Active Directory (AAD) | + diff --git a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md index 15f9ab184e..851edc7279 100644 --- a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md +++ b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md @@ -7,7 +7,7 @@ ms.mktglfcycl: operate ms.sitesec: library ms.pagetype: security author: brianlic-msft -ms.date: 09/19/2018 +ms.date: 11/16/2018 --- # How User Account Control works @@ -182,7 +182,7 @@ To better understand each component, review the table below:

    Not recommended. Choose this only if it takes a long time to dim the desktop on your computer.


    -

  • Never notify (Disable UAC) will:

    +

  • Never notify (Disable UAC prompts) will:

    • Not notify you when programs try to install software or make changes to your computer.
    • Not notify you when you make changes to Windows settings.
      • diff --git a/windows/security/information-protection/secure-the-windows-10-boot-process.md b/windows/security/information-protection/secure-the-windows-10-boot-process.md index 585264179f..cb56f52198 100644 --- a/windows/security/information-protection/secure-the-windows-10-boot-process.md +++ b/windows/security/information-protection/secure-the-windows-10-boot-process.md @@ -8,7 +8,7 @@ ms.pagetype: security ms.sitesec: library ms.localizationpriority: medium author: brianlic-msft -ms.date: 10/13/2017 +ms.date: 11/16/2018 --- # Secure the Windows 10 boot process @@ -122,9 +122,5 @@ Measured Boot uses the power of UEFI, TPM, and Windows 10 to give you a way to ## Summary Secure Boot, Trusted Boot, and Measured Boot create an architecture that is fundamentally resistant to bootkits and rootkits. In Windows 10, these features have the potential to eliminate kernel-level malware from your network. This is the most ground-breaking anti-malware solution that Windows has ever had; it’s leaps and bounds ahead of everything else. With Windows 10, you can truly trust the integrity of your operating system. -For more information: - -- Watch a [video demonstration of Secure Boot](https://technet.microsoft.com/windows/jj737995.aspx) - ## Additional resources - [Windows 10 Enterprise Evaluation](https://technet.microsoft.com/evalcenter/hh699156.aspx?ocid=wc-tn-wctc) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 4266ad036b..ea1d8e22a6 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -6,6 +6,7 @@ #### [Attack surface reduction](windows-defender-atp/overview-attack-surface-reduction.md) ##### [Hardware-based isolation](windows-defender-atp/overview-hardware-based-isolation.md) ###### [Application isolation](windows-defender-application-guard/wd-app-guard-overview.md) +####### [System requirements](windows-defender-application-guard/reqs-wd-app-guard.md) ###### [System isolation](windows-defender-atp/how-hardware-based-containers-help-protect-windows.md) ##### [Application control](windows-defender-application-control/windows-defender-application-control.md) ##### [Exploit protection](windows-defender-exploit-guard/exploit-protection-exploit-guard.md) diff --git a/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md b/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md index bba7a2624e..ae91d8d14b 100644 --- a/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md +++ b/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: brianlic-msft -ms.date: 08/29/2017 +ms.date: 11/16/2018 --- # System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing @@ -50,7 +50,7 @@ Additionally, if a data drive is password-protected, it can be accessed by a FIP ### Best practices -- For use with TLS, set this policy to **Enabled**. Client devices with this policy setting enabled will be unable to communicate through digitally encrypted or signed protocols with servers that do not support these algorithms. Client devices that are connected to the network and do not support these algorithms cannot use servers that require the algorithms for network communications. If you enable this policy setting, you must also configure Internet Explorer to use TLS. +There are no best practices for this setting. Our previous guidance had recommended a setting of **Enabled**, primarily to align with US Federal government recommendations. [Windows security baselines](https://docs.microsoft.com/windows/security/threat-protection/windows-security-baselines) recommend this setting be **Not Defined**, meaning that we leave the decision to customers. For a deeper explanation, see [Why We’re Not Recommending “FIPS Mode” Anymore](https://blogs.technet.microsoft.com/secguide/2014/04/07/why-were-not-recommending-fips-mode-anymore/). ### Location diff --git a/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md index 781b5ba5d5..97f4d15615 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md @@ -301,11 +301,10 @@ This setting will help ensure protection for a VM that has been offline for some ### Exclusions On Windows Server 2016, Windows Defender Antivirus will automatically deliver the right exclusions for servers running a VDI environment. However, if you are running an older Windows server version, you can refer to the exclusions that are applied on this page: -- [Automatic exclusions for Windows Server Antimalware](https://technet.microsoft.com/windows-server-docs/security/windows-defender/automatic-exclusions-for-windows-defender) +- [Configure Windows Defender Antivirus exclusions on Windows Server](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus) ## Additional resources - [Video: Microsoft Senior Program Manager Bryan Keller on how System Center Configuration Manger 2012 manages VDI and integrates with App-V]( http://channel9.msdn.com/Shows/Edge/Edge-Show-5-Manage-VDI-using-SCCM-2012#time=03m02s) -- [Project VRC: Windows Defender Antivirus impact and best practices on VDI](https://blogs.technet.microsoft.com/privatecloud/2013/12/06/orchestrated-offline-vm-patching-using-service-management-automation/) - [TechNet forums on Remote Desktop Services and VDI](https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverTS) - [SignatureDownloadCustomTask PowerShell script](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4/DisplayScript) diff --git a/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md index 569d88a51c..10d6f5bedc 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 09/03/2018 +ms.date: 11/16/2018 --- # Restore quarantined files in Windows Defender AV @@ -25,7 +25,7 @@ If Windows Defender Antivirus is configured to detect and remediate threats on y 1. Open **Windows Security**. 2. Click **Virus & threat protection** and then click **Threat History**. 3. Under **Quarantined threats**, click **See full history**. -4. Click **Restore** for any items you want to keep. (If you prefer to remove them, you can click **Remove**.) +4. Click an item you want to keep, then click **Restore**. (If you prefer to remove the item, you can click **Remove**.) ## Related topics diff --git a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md index ce654afdd8..b5d1cd4483 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md @@ -65,7 +65,7 @@ To create a WDAC policy, copy each of the following commands into an elevated Wi ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin ``` -After you complete these steps, the WDAC binary file (DeviceGuardPolicy.bin) and original .xml file (IntialScan.xml) will be available on your desktop. You can use the binary file as a WDAC policy or sign it for additional security. +After you complete these steps, the WDAC binary file (DeviceGuardPolicy.bin) and original .xml file (InitialScan.xml) will be available on your desktop. You can use the binary file as a WDAC policy or sign it for additional security. > [!Note] > We recommend that you keep the original .xml file of the policy for use when you need to merge the WDAC policy with another policy or update its rule options. Alternatively, you would have to create a new policy from a new scan for servicing. For more information about how to merge WDAC policies, see [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md). diff --git a/windows/security/threat-protection/windows-defender-application-guard/TOC.md b/windows/security/threat-protection/windows-defender-application-guard/TOC.md new file mode 100644 index 0000000000..9e42b2b691 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-application-guard/TOC.md @@ -0,0 +1,7 @@ +# [Windows Defender Application Guard](wd-app-guard-overview.md) + +## [System requirements](reqs-wd-app-guard.md) +## [Install WDAG](install-wd-app-guard.md) +## [Configure WDAG policies](configure-wd-app-guard.md) +## [Test scenarios](test-scenarios-wd-app-guard.md) +## [FAQ](faq-wd-app-guard.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/TOC.md b/windows/security/threat-protection/windows-defender-atp/TOC.md index 1bda153a18..f8ba6e6e36 100644 --- a/windows/security/threat-protection/windows-defender-atp/TOC.md +++ b/windows/security/threat-protection/windows-defender-atp/TOC.md @@ -4,14 +4,9 @@ ### [Attack surface reduction](overview-attack-surface-reduction.md) #### [Hardware-based isolation](overview-hardware-based-isolation.md) ##### [Application isolation](../windows-defender-application-guard/wd-app-guard-overview.md) +###### [System requirements](../windows-defender-application-guard/reqs-wd-app-guard.md) ##### [System isolation](how-hardware-based-containers-help-protect-windows.md) #### [Application control](../windows-defender-application-control/windows-defender-application-control.md) -#### Device control -##### [Control USB devices](../device-control/control-usb-devices-using-intune.md) -##### [Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md) -###### [Memory integrity](../windows-defender-exploit-guard/memory-integrity.md) -####### [Hardware qualifications](../windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md) -####### [Enable HVCI](../windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md) #### [Exploit protection](../windows-defender-exploit-guard/exploit-protection-exploit-guard.md) #### [Network protection](../windows-defender-exploit-guard/network-protection-exploit-guard.md) #### [Controlled folder access](../windows-defender-exploit-guard/controlled-folders-exploit-guard.md) @@ -119,17 +114,19 @@ ##### [Network firewall](../windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md) #### [Evaluate next generation protection](../windows-defender-antivirus/evaluate-windows-defender-antivirus.md) -### [Access the Windows Security app](community-windows-defender-advanced-threat-protection.md) +### [Access the Windows Defender Security Center Community Center](community-windows-defender-advanced-threat-protection.md) ## [Configure and manage capabilities](onboard.md) ### [Configure attack surface reduction](configure-attack-surface-reduction.md) #### [Hardware-based isolation](../windows-defender-application-guard/install-wd-app-guard.md) ##### [Configuration settings](../windows-defender-application-guard/configure-wd-app-guard.md) #### [Application control](../windows-defender-application-control/windows-defender-application-control.md) -#### [Device control](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md) -##### [Memory integrity](../windows-defender-exploit-guard/memory-integrity.md) -###### [Hardware qualifications](../windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md) -###### [Enable HVCI](../windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md) +#### Device control +##### [Control USB devices](../device-control/control-usb-devices-using-intune.md) +##### [Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md) +###### [Memory integrity](../windows-defender-exploit-guard/memory-integrity.md) +####### [Hardware qualifications](../windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md) +####### [Enable HVCI](../windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md) #### [Exploit protection](../windows-defender-exploit-guard/enable-exploit-protection.md) ##### [Customize exploit protection](../windows-defender-exploit-guard/customize-exploit-protection.md) ##### [Import/export configurations](../windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md) diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md index 316fdb9dd1..a577f341aa 100644 --- a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md @@ -137,8 +137,8 @@ The filter selections will resolve as an additional query term and the results w -## Public Advanced Hunting query GitHub repository -Check out the [Advanced Hunting repository](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries). Contribute and use example queries shared by our customers. +## Public Advanced hunting query GitHub repository +Check out the [Advanced hunting repository](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries). Contribute and use example queries shared by our customers. >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhunting-belowfoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md index b1cde1afaf..3fd0865bf5 100644 --- a/windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md @@ -17,7 +17,7 @@ ms.date: 12/08/2017 **Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prereleaseinformation](prerelease.md)] +[!include[Prerelease information](prerelease.md)] Represents an alert entity in WDATP. @@ -51,12 +51,12 @@ assignedTo | String | Owner of the alert classification | String | Specification of the alert. The property values are: 'Unknown', 'FalsePositive', 'TruePositive'. determination | String | Specifies the determination of the alert. The property values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other' resolvedTime | DateTimeOffset | The date and time in which the status of the alert was changed to 'Resolved'. -lastEventTime | DateTimeOffset | The last occurance of the event that triggered the alert on the same machine. -firstEventTime | DateTimeOffset | The first occurance of the event that triggered the alert on that machine. +lastEventTime | DateTimeOffset | The last occurrence of the event that triggered the alert on the same machine. +firstEventTime | DateTimeOffset | The first occurrence of the event that triggered the alert on that machine. machineId | String | ID of a [machine](machine-windows-defender-advanced-threat-protection-new.md) entity that is associated with the alert. # JSON representation -``` +```json { "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts", "id": "636688558380765161_2136280442", diff --git a/windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md index f54267ebfe..123a0bdfd0 100644 --- a/windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.author: lomayor author: lomayor ms.localizationpriority: medium -ms.date: 28/02/2018 +ms.date: 11/20/2018 --- # Experience Windows Defender ATP through simulated attacks @@ -25,6 +25,10 @@ ms.date: 28/02/2018 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-attacksimulations-abovefoldlink) +>[!TIP] +> Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/). + + You might want to experience Windows Defender ATP before you onboard more than a few machines to the service. To do this, you can run controlled attack simulations on a few test machines. After running the simulated attacks, you can review how Windows Defender ATP surfaces malicious activity and explore how it enables an efficient response. ## Before you begin diff --git a/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md index c7d9e056c4..2609656756 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 09/12/2018 +ms.date: 11/14/2018 --- @@ -98,8 +98,28 @@ United Kingdom | ```uk.vortex-win.data.microsoft.com```
      ```uk-v20.events.dat United States | ```us.vortex-win.data.microsoft.com```
      ```us-v20.events.data.microsoft.com```
      ```winatp-gw-cus.microsoft.com```
      ```winatp-gw-eus.microsoft.com``` + If a proxy or firewall is blocking anonymous traffic, as Windows Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the above listed URLs. +## Windows Defender ATP service backend IP range +If you network devices don't support the URLs white-listed in the prior section, you can use the following information. + +Windows Defender ATP is built on Azure cloud, deployed in the following regions: + +- \+\ +- \+\ +- \+\ +- \+\ +- \+\ +- \+\ +- \+\ + + +You can find the Azure IP range on [Microsoft Azure Datacenter IP Ranges](https://www.microsoft.com/en-us/download/details.aspx?id=41653). + +>[!NOTE] +> As a cloud-based solution, the IP range can change. It's recommended you move to DNS resolving setting. + ## Verify client connectivity to Windows Defender ATP service URLs diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-list.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-list.md index aaf42956c2..101b345a77 100644 --- a/windows/security/threat-protection/windows-defender-atp/exposed-apis-list.md +++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-list.md @@ -38,7 +38,7 @@ ms.date: 30/07/2018 > To use a specific version, use this format: https://api.securitycenter.windows.com/api/{Version}. For example: https://api.securitycenter.windows.com/api/v1.0/alerts -> If you don't specify any version ( without /v1.0/ ) you will get to the latest version. +> If you don't specify any version (e.g., https://api.securitycenter.windows.com/api/alerts ) you will get to the latest version. Learn more about the individual supported entities where you can run API calls to and details such as HTTP request values, request headers and expected responses. diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md index a7384d989f..dfc82df1d8 100644 --- a/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md +++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 09/24/2018 +ms.date: 11/15/2018 --- # OData queries with Windows Defender ATP @@ -19,14 +19,58 @@ ms.date: 09/24/2018 [!include[Prerelease information](prerelease.md)] -> If you are not familiar with OData queries, please see: [OData V4 queries](https://www.odata.org/documentation/) +- If you are not familiar with OData queries, see: [OData V4 queries](https://www.odata.org/documentation/) -> ** Currently, [Machine](machine-windows-defender-advanced-threat-protection-new.md) and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) entities supports all OData queries.** -> ** [Alert](alerts-windows-defender-advanced-threat-protection-new.md) entity support all OData queries except $filter.** +- Currently, [Machine](machine-windows-defender-advanced-threat-protection-new.md) and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) entities supports all OData queries. +- [Alert](alerts-windows-defender-advanced-threat-protection-new.md) entity support all OData queries except $filter. ### Example 1 -**Get all the machines with 'High' 'RiskScore'** +**Get all the machines with the tag 'ExampleTag'** + +``` +HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=machineTags/any(tag: tag eq 'ExampleTag') +``` + +**Response:** + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines", + "value": [ + { + "id": "b9d4c51123327fb2a25db29ff1b8f3b64888e7ba", + "computerDnsName": "examples.dev.corp.Contoso.com", + "firstSeen": "2018-03-07T11:19:11.7234147Z", + "lastSeen": "2018-11-15T11:23:38.3196947Z", + "osPlatform": "Windows10", + "osVersion": "10.0.0.0", + "lastIpAddress": "123.17.255.241", + "lastExternalIpAddress": "123.220.196.180", + "agentVersion": "10.6400.18282.1001", + "osBuild": 18282, + "healthStatus": "Active", + "isAadJoined": true, + "machineTags": [ + "ExampleTag" + ], + "rbacGroupId": 5, + "rbacGroupName": "Developers", + "riskScore": "North", + "aadDeviceId": null + }, + . + . + . + ] +} +``` + +### Example 2 + +- Get all the machines with 'High' 'RiskScore' ``` HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=riskScore eq 'High' @@ -42,7 +86,7 @@ Content-type: application/json "value": [ { "id": "e3a77eeddb83d581238792387b1239b01286b2f", - "computerDnsName": "examples.dev.corp.microsoft.com", + "computerDnsName": "examples.dev.corp.Contoso.com", "firstSeen": "2016-11-02T23:26:03.7882168Z", "lastSeen": "2018-11-12T10:27:08.708723Z", "osPlatform": "Windows10", @@ -55,7 +99,7 @@ Content-type: application/json "isAadJoined": true, "machineTags": [], "rbacGroupId": 5, - "rbacGroupName": "North", + "rbacGroupName": "Developers", "riskScore": "High", "aadDeviceId": "d90b0b99-1234-1234-1234-b91d50c6796a" }, @@ -66,9 +110,9 @@ Content-type: application/json } ``` -### Example 2 +### Example 3 -**Get top 100 machines with 'HealthStatus' not equals to 'Active'** +- Get top 100 machines with 'HealthStatus' not equals to 'Active' ``` HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=healthStatus ne 'Active'&$top=100 @@ -84,7 +128,7 @@ Content-type: application/json "value": [ { "id": "1113333ddb83d581238792387b1239b01286b2f", - "computerDnsName": "examples.dev.corp.microsoft.com", + "computerDnsName": "examples.dev.corp.Contoso.com", "firstSeen": "2016-11-02T23:26:03.7882168Z", "lastSeen": "2018-11-12T10:27:08.708723Z", "osPlatform": "Windows10", @@ -97,7 +141,7 @@ Content-type: application/json "isAadJoined": true, "machineTags": [], "rbacGroupId": 5, - "rbacGroupName": "North", + "rbacGroupName": "Developers", "riskScore": "Medium", "aadDeviceId": "d90b0b99-1234-1234-1234-b91d50c6796a" }, @@ -108,9 +152,9 @@ Content-type: application/json } ``` -### Example 3 +### Example 4 -**Get all the machines that last seen after 2018-10-20** +- Get all the machines that last seen after 2018-10-20 ``` HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=lastSeen gt 2018-10-20Z @@ -138,8 +182,8 @@ Content-type: application/json "healthStatus": "Active", "isAadJoined": false, "machineTags": [], - "rbacGroupId": 4, - "rbacGroupName": "East", + "rbacGroupId": 5, + "rbacGroupName": "Developers", "riskScore": "None", "aadDeviceId": null }, @@ -150,9 +194,9 @@ Content-type: application/json } ``` -### Example 4 +### Example 5 -**Get all the Anti-Virus scans that the user Analyst@examples.onmicrosoft.com created using WDATP** +- Get all the Anti-Virus scans that the user Analyst@examples.onmicrosoft.com created using Windows Defender ATP ``` HTTP GET https://api.securitycenter.windows.com/api/machineactions?$filter=requestor eq 'Analyst@WcdTestPrd.onmicrosoft.com' and type eq 'RunAntiVirusScan' diff --git a/windows/security/threat-protection/windows-defender-atp/files-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/files-windows-defender-advanced-threat-protection-new.md index 076ab10d21..1b6c340e45 100644 --- a/windows/security/threat-protection/windows-defender-atp/files-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/files-windows-defender-advanced-threat-protection-new.md @@ -15,7 +15,7 @@ ms.date: 12/08/2017 # File resource type -[!include[Prereleaseinformation](prerelease.md)] +[!include[Prerelease information](prerelease.md)] Represent a file entity in WDATP. @@ -34,7 +34,7 @@ Property | Type | Description sha1 | String | Sha1 hash of the file content sha256 | String | Sha256 hash of the file content md5 | String | md5 hash of the file content -globalPrevalence | Integer | File prevalence accross organization +globalPrevalence | Integer | File prevalence across organization globalFirstObserved | DateTimeOffset | First time the file was observed. globalLastObserved | DateTimeOffset | Last time the file was observed. size | Integer | Size of the file. diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md index 0df45988d6..a51d83949c 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md @@ -50,8 +50,7 @@ Authorization | String | Bearer {token}. **Required**. Empty ## Response -If successful and alert and domain exist - 200 OK. -If alert not found or domain not found - 404 Not Found. +If successful and alert and domain exist - 200 OK. If alert not found - 404 Not Found. ## Example diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md index 0761a7b22c..aecd1dc46f 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md @@ -50,8 +50,7 @@ Authorization | String | Bearer {token}. **Required**. Empty ## Response -If successful and alert and files exist - 200 OK. -If alert not found or files not found - 404 Not Found. +If successful and alert and files exist - 200 OK. If alert not found - 404 Not Found. ## Example diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md index 0aa81fbd10..3da5ca41df 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md @@ -51,7 +51,7 @@ Authorization | String | Bearer {token}. **Required**. Empty ## Response -If successful and alert and an IP exist - 200 OK. If alert not found or IPs not found - 404 Not Found. +If successful and alert and an IP exist - 200 OK. If alert not found - 404 Not Found. ## Example diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md index 5eec325056..33075d8e93 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md @@ -52,8 +52,7 @@ Authorization | String | Bearer {token}. **Required**. Empty ## Response -If successful and alert and machine exist - 200 OK. -If alert not found or machine not found - 404 Not Found. +If successful and alert and machine exist - 200 OK. If alert not found or machine not found - 404 Not Found. ## Example diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md index 143f06474b..5d1de50542 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md @@ -51,8 +51,7 @@ Authorization | String | Bearer {token}. **Required**. Empty ## Response -If successful and alert and a user exists - 200 OK with user in the body. -If alert not found or user not found - 404 Not Found. +If successful and alert and a user exists - 200 OK with user in the body. If alert or user not found - 404 Not Found. ## Example diff --git a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md index c68a75f6be..02ebbe143c 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md @@ -58,7 +58,7 @@ Authorization | String | Bearer {token}. **Required**. Empty ## Response -If successful, this method returns 200 OK, and a list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) objects in the response body. If no recent alerts found - 404 Not Found. +If successful, this method returns 200 OK, and a list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) objects in the response body. ## Example diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md index ee1404dd5e..b1e8502727 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -57,7 +57,7 @@ Authorization | String | Bearer {token}. **Required**. Empty ## Response -If successful and domain and alert exists - 200 OK with list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities. If domain or alert does not exist - 404 Not Found. +If successful and domain exists - 200 OK with list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities. If domain does not exist - 404 Not Found. ## Example diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md index 4d69da1a53..f5ac6e74f8 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md @@ -52,7 +52,7 @@ Authorization | String | Bearer {token}. **Required**. Empty ## Response -If successful and domain and machine exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities. If domain or machines do not exist - 404 Not Found. +If successful and domain exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities. If domain do not exist - 404 Not Found. ## Example diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md index d3dd0b2f72..c940edba9f 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md @@ -50,8 +50,7 @@ Authorization | Bearer {token}. **Required**. Empty ## Response -If successful and domain exists - 200 OK, with statistics object in the response body. -If domain does not exist - 404 Not Found. +If successful and domain exists - 200 OK, with statistics object in the response body. If domain does not exist - 404 Not Found. ## Example diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md index 2080cabc06..82ba0c9a36 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md @@ -52,8 +52,7 @@ Authorization | String | Bearer {token}. **Required**. Empty ## Response -If successful and file exists - 200 OK with the [file](files-windows-defender-advanced-threat-protection-new.md) entity in the body. -If file does not exist - 404 Not Found. +If successful and file exists - 200 OK with the [file](files-windows-defender-advanced-threat-protection-new.md) entity in the body. If file does not exist - 404 Not Found. ## Example diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md index 0ef637c98e..e34b9d8c77 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -55,8 +55,7 @@ Authorization | String | Bearer {token}. **Required**. Empty ## Response -If successful and file and alert exists - 200 OK with list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities in the body. -If file or alerts do not exist - 404 Not Found. +If successful and file exists - 200 OK with list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities in the body. If file do not exist - 404 Not Found. ## Example diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md index 94de515e8e..79aaefa954 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md @@ -53,8 +53,7 @@ Authorization | String | Bearer {token}. **Required**. Empty ## Response -If successful and file and machines exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities in the body. -If file or machines do not exist - 404 Not Found. +If successful and file exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities in the body. If file do not exist - 404 Not Found. ## Example diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md index 31913eb556..3f661dc422 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md @@ -54,8 +54,7 @@ Authorization | String | Bearer {token}. **Required**. Empty ## Response -If successful and file exists - 200 OK with statistical data in the body. -If file do not exist - 404 Not Found. +If successful and file exists - 200 OK with statistical data in the body. If file do not exist - 404 Not Found. ## Example diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md index 27c06e86a8..981c022145 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -53,8 +53,7 @@ Authorization | String | Bearer {token}. **Required**. Empty ## Response -If successful and IP and alert exists - 200 OK with list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities in the body. -If IP and alerts do not exist - 404 Not Found. +If successful and IP exists - 200 OK with list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities in the body. If IP do not exist - 404 Not Found. ## Example diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md index 20449184f7..3c68f72daf 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md @@ -53,8 +53,7 @@ Authorization | String | Bearer {token}. **Required**. Empty ## Response -If successful and IP and machines exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities in the body. -If IP or machines do not exist - 404 Not Found. +If successful and IP exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities in the body. If IP do not exist - 404 Not Found. ## Example diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md index 31988d7d7b..93e70b3e10 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md @@ -51,8 +51,7 @@ Authorization | String | Bearer {token}. **Required**. Empty ## Response -If successful and machine and user exist - 200 OK with list of [user](user-windows-defender-advanced-threat-protection-new.md) entities in the body -If no machine found or no users found - 404 Not Found. +If successful and machine exist - 200 OK with list of [user](user-windows-defender-advanced-threat-protection-new.md) entities in the body. If machine was not found - 404 Not Found. ## Example diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md index fc89631378..65ee88ebb5 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -53,7 +53,7 @@ Authorization | String | Bearer {token}. **Required**. Empty ## Response -If successful and machine and alert exists - 200 OK with list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities in the body. If no machine or no alerts found - 404 Not Found. +If successful and machine exists - 200 OK with list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities in the body. If machine was not found - 404 Not Found. ## Example diff --git a/windows/security/threat-protection/windows-defender-atp/get-started.md b/windows/security/threat-protection/windows-defender-atp/get-started.md index 08d0bcb99e..1104afadfd 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-started.md +++ b/windows/security/threat-protection/windows-defender-atp/get-started.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 09/03/2018 +ms.date: 11/20/2018 --- # Get started with Windows Defender Advanced Threat Protection @@ -19,6 +19,9 @@ ms.date: 09/03/2018 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +>[!TIP] +> Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/). + Learn about the minimum requirements and initial steps you need to take to get started with Windows Defender ATP. The following capabilities are available across multiple products that make up the Windows Defender ATP platform. diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection-new.md index ea4a25eca2..ef4ed492c9 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection-new.md @@ -21,7 +21,7 @@ ms.date: 12/08/2017 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -Retrieve a User entity by key (user name or domain\user). +Retrieve a User entity by key (user name). ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) @@ -58,7 +58,7 @@ Here is an example of the request. [!include[Improve request performance](improverequestperformance-new.md)] ``` -GET https://api.securitycenter.windows.com/api/users/user1@contoso.com +GET https://api.securitycenter.windows.com/api/users/user1 Content-type: application/json ``` @@ -72,7 +72,7 @@ HTTP/1.1 200 OK Content-type: application/json { "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Users/$entity", - "id": "user1@contoso.com", + "id": "user1", "firstSeen": "2018-08-02T00:00:00Z", "lastSeen": "2018-08-04T00:00:00Z", "mostPrevalentMachineId": null, diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md index e109d17851..86bbb39785 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -41,7 +41,7 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' GET /api/users/{id}/alerts ``` -**Note that the id is not the Full UPN, its only the user name. For example, for user1@contoso.com you will need to send /api/users/user1/alerts** +**Note that the id is not the full UPN, but only the user name. (e.g., to retrieve alerts for user1@contoso.com use /api/users/user1/alerts) ** ## Request headers @@ -54,7 +54,7 @@ Authorization | String | Bearer {token}. **Required**. Empty ## Response -If successful and user and alert exists - 200 OK. If user or alerts does not exist - 404 Not Found. +If successful and user exist - 200 OK. If the user do not exist - 404 Not Found. ## Example diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md index 6ea6b78d52..ec40578526 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 12/08/2017 +ms.date: 11/15/2018 --- # Get user related alerts API (deprecated) diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md index 35a87d200a..9e0f217156 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md @@ -41,7 +41,7 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine GET /api/users/{id}/machines ``` -**Note that the id is not the Full UPN, its only the user name. For example, for user1@contoso.com you will need to send /api/users/user1/machines** +**Note that the id is not the full UPN, but only the user name. (e.g., to retrieve machines for user1@contoso.com use /api/users/user1/machines) ** ## Request headers @@ -55,7 +55,7 @@ Authorization | String | Bearer {token}. **Required**. Empty ## Response -If successful and machines exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities in the body. If user or machines does not exist - 404 Not Found. +If successful and user exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities in the body. If user does not exist - 404 Not Found. ## Example diff --git a/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md index e9577e41f5..498cf8a90c 100644 --- a/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 11/06/2018 +ms.date: 11/20/2018 --- # Minimum requirements for Windows Defender ATP @@ -23,6 +23,10 @@ There are some minimum requirements for onboarding machines to the service. >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-minreqs-abovefoldlink) + +>[!TIP] +> Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/). + ## Licensing requirements Windows Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers: @@ -35,6 +39,7 @@ For more information on the array of features in Windows 10 editions, see [Compa For a detailed comparison table of Windows 10 commercial edition comparison, see the [comparison PDF](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf). + ## Related topic - [Validate licensing and complete setup](licensing-windows-defender-advanced-threat-protection.md) - [Onboard machines](onboard-configure-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md index aa40fd346e..3dd7d4940d 100644 --- a/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 07/01/2018 +ms.date: 11/19/2018 --- # Onboard machines to the Windows Defender ATP service @@ -128,7 +128,7 @@ If the **START_TYPE** is not set to **AUTO_START**, then you'll need to set the #### Internet connectivity Internet connectivity on machines is required either directly or through proxy. -The Windows Defender ATP sensor can utilize a daily average bandwidth of 5MB to communicate with the Windows Defender ATP cloud service and report cyber data. +The Windows Defender ATP sensor can utilize a daily average bandwidth of 5MB to communicate with the Windows Defender ATP cloud service and report cyber data. One-off activities such as file uploads and investigation package collection are not included in this daily average bandwidth. For more information on additional proxy configuration settings see, [Configure machine proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) . diff --git a/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md index 59c6a4e7a2..0a0076523d 100644 --- a/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 10/10/2018 +ms.date: 11/19/2018 --- # Onboard previous versions of Windows @@ -46,12 +46,13 @@ Windows Defender ATP integrates with System Center Endpoint Protection to provid The following steps are required to enable this integration: - Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie) - Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting +- Configure your network to allow connections to the Windows Defender Antivirus cloud. For more information, see [Allow connections to the Windows Defender Antivirus cloud](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus#allow-connections-to-the-windows-defender-antivirus-cloud) ## Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Windows Defender ATP ### Before you begin Review the following details to verify minimum system requirements: -- Install the [February monthly update rollup](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598) or a later monthly update rollup. +- Install the [February monthly update rollup](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598) >[!NOTE] >Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro. @@ -67,9 +68,9 @@ Review the following details to verify minimum system requirements: >Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro. >Don't install .NET framework 4.0.x, since it will negate the above installation. +- Meet the Azure Log Analytics agent minimum system requirements. For more information, see [Collect data from computers in you environment with Log Analytics](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-concept-hybrid#prerequisites) -- Meet the Azure Log Analytics agent minimum system requirements. For more information, see [Collect data from computers in your environment with Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-concept-hybrid#prerequisites) 1. Download the agent setup file: [Windows 64-bit agent](https://go.microsoft.com/fwlink/?LinkId=828603) or [Windows 32-bit agent](https://go.microsoft.com/fwlink/?LinkId=828604). @@ -89,7 +90,7 @@ Once completed, you should see onboarded endpoints in the portal within an hour. ### Configure proxy and Internet connectivity settings -- Each Windows endpoint must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the [OMS Gateway](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-gateway). +- Each Windows endpoint must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the [OMS Gateway](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-oms-gateway). - If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Windows Defender ATP service: Agent Resource | Ports diff --git a/windows/security/threat-protection/windows-defender-atp/overview.md b/windows/security/threat-protection/windows-defender-atp/overview.md index 9741504d5c..d650cb05c1 100644 --- a/windows/security/threat-protection/windows-defender-atp/overview.md +++ b/windows/security/threat-protection/windows-defender-atp/overview.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 09/03/2018 +ms.date: 11/20/2018 --- # Overview of Windows Defender ATP capabilities @@ -21,6 +21,9 @@ ms.date: 09/03/2018 Understand the concepts behind the capabilities in Windows Defender ATP so you take full advantage of the complete threat protection platform. +>[!TIP] +> Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/). + ## In this section Topic | Description diff --git a/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md index 4ede6cb172..1c6449106b 100644 --- a/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 10/26/2018 +ms.date: 11/19/2018 --- # Pull Windows Defender ATP alerts using REST API @@ -106,6 +106,7 @@ DateTime?sinceTimeUtc | string | Defines the lower time bound alerts are retriev DateTime?untilTimeUtc | string | Defines the upper time bound alerts are retrieved.
      The time range will be: from `sinceTimeUtc` time to `untilTimeUtc` time.

      **NOTE**: When not specified, the default value will be the current time. string ago | string | Pulls alerts in the following time range: from `(current_time - ago)` time to `current_time` time.

      Value should be set according to **ISO 8601** duration format
      E.g. `ago=PT10M` will pull alerts received in the last 10 minutes. int?limit | int | Defines the number of alerts to be retrieved. Most recent alerts will be retrieved based on the number defined.

      **NOTE**: When not specified, all alerts available in the time range will be retrieved. +machinegroups | String | Specifies machine groups to pull alerts from .

      **NOTE**: When not specified, alerts from all machine groups will be retrieved.

      Example:

      ```https://wdatp-alertexporter-eu.securitycenter.windows.com/api/Alerts/?machinegroups=UKMachines&machinegroups=FranceMachines``` ### Request example The following example demonstrates how to retrieve all the alerts in your organization. diff --git a/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md index 743cb4b2da..de7712091a 100644 --- a/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md @@ -66,6 +66,10 @@ Windows Defender ATP uses the following combination of technology built into Win + +>[!TIP] +> Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/). + **[Attack surface reduction](overview-attack-surface-reduction.md)**
      The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 360b2a59c8..13d105b946 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 10/15/2018 +ms.date: 11/19/2018 --- # Reduce attack surfaces with attack surface reduction rules @@ -53,18 +53,9 @@ Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d3 Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 -Block Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869 +Block Office communication application from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869 Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c -The rules apply to the following Office apps: - -- Microsoft Word -- Microsoft Excel -- Microsoft PowerPoint -- Microsoft OneNote - -The rules do not apply to any other Office apps. - ### Rule: Block executable content from email client and webmail This rule blocks the following file types from being run or launched from an email seen in either Microsoft Outlook or webmail (such as Gmail.com or Outlook.com): @@ -80,6 +71,9 @@ This rule blocks the following file types from being run or launched from an ema Office apps will not be allowed to create child processes. This includes Word, Excel, PowerPoint, OneNote, and Access. +>[!NOTE] +>This does not include Outlook. For Outlook, please see [Block Office communication applications from creating child processes](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#rule-block-office-communication-applications-from-creating-child-processes). + This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables. ### Rule: Block Office applications from creating executable content @@ -90,7 +84,7 @@ Extensions will be blocked from being used by Office apps. Typically these exten ### Rule: Block Office applications from injecting code into other processes -Office apps, such as Word, Excel, or PowerPoint, will not be able to inject code into other processes. +Office apps, including Word, Excel, PowerPoint, and OneNote, will not be able to inject code into other processes. This is typically used by malware to run malicious code in an attempt to hide the activity from antivirus scanning engines. @@ -116,7 +110,7 @@ This rule prevents scripts that appear to be obfuscated from running. Malware can use macro code in Office files to import and load Win32 DLLs, which can then be used to make API calls to allow further infection throughout the system. -This rule attempts to block Office files that contain macro code that is capable of importing Win32 DLLs. +This rule attempts to block Office files that contain macro code that is capable of importing Win32 DLLs. This includes Word, Excel, PowerPoint, and OneNote. ### Rule: Block executable files from running unless they meet a prevalence, age, or trusted list criteria @@ -158,12 +152,15 @@ With this rule, admins can prevent unsigned or untrusted executable files from r - Executable files (such as .exe, .dll, or .scr) - Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) -### Rule: Block Office communication applications from creating child processes +### Rule: Block Office communication application from creating child processes -Office communication apps will not be allowed to create child processes. This includes Outlook. +Outlook will not be allowed to create child processes. This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables. +>[!NOTE] +>This rule applies to Outlook only. + ### Rule: Block Adobe Reader from creating child processes This rule blocks Adobe Reader from creating child processes. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md index 7591a39db0..2ad55e0a66 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 10/02/2018 +ms.date: 11/16/2018 --- # Customize exploit protection @@ -53,19 +53,19 @@ Validate exception chains (SEHOP) | Ensures the integrity of an exception chain Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)] Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] Block low integrity images | Prevents the loading of images marked with Low Integrity. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] -Block remote images | Prevents loading of images from remote devices. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] +Block remote images | Prevents loading of images from remote devices. | App-level only | [!include[Check mark no](images/svg/check-no.svg)] Block untrusted fonts | Prevents loading any GDI-based fonts not installed in the system fonts directory, notably fonts from the web. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] Code integrity guard | Restricts loading of images signed by Microsoft, WHQL, or higher. Can optionally allow Microsoft Store signed images. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] Disable extension points | Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers. | App-level only | [!include[Check mark no](images/svg/check-no.svg)] Disable Win32k system calls | Prevents an app from using the Win32k system call table. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] Do not allow child processes | Prevents an app from creating child processes. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] -Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] -Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] -Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] -Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] +Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | [!include[Check mark no](images/svg/check-no.svg)] +Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. | App-level only | [!include[Check mark no](images/svg/check-no.svg)] +Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark no](images/svg/check-no.svg)] +Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark no](images/svg/check-no.svg)] Validate handle usage | Causes an exception to be raised on any invalid handle references. | App-level only | [!include[Check mark no](images/svg/check-no.svg)] -Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] -Validate stack integrity (StackPivot) | Ensures that the stack has not been redirected for sensitive APIs. Not compatible with ACG | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] +Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | [!include[Check mark no](images/svg/check-no.svg)] +Validate stack integrity (StackPivot) | Ensures that the stack has not been redirected for sensitive APIs. Not compatible with ACG | App-level only | [!include[Check mark no](images/svg/check-no.svg)] >[!IMPORTANT] >If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work: diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md index 675f449f0b..8e84a3872c 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md @@ -34,13 +34,13 @@ You can manually add the rules by using the GUIDs in the following table: Rule description | GUID -|- -Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A -Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899 -Block Office applications from injecting code into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D -Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -Block Win32 API calls from Office macro | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B +Block executable content from email client and webmail | be9ba2d9-53ea-4cdc-84e5-9B1eeee46550 +Block all Office applications from creating child processes | d4f940ab-401b-4efc-aadc-ad5f3c50688a +Block Office applications from creating executable content | 3b576869-a4eC-4529-8536-b80a7769e899 +Block Office applications from injecting code into other processes | 75668c1f-73b5-4Cf0-bb93-3ecf5cb7cc84 +Block JavaScript or VBScript from launching downloaded executable content | d3e037e1-3eb8-44c8-a917-57927947596d +Block execution of potentially obfuscated scripts | 5beb7efe-fd9A-4556-801d-275e5ffc04cc +Block Win32 API calls from Office macro | 92e97fa1-2edf-4476-bdd6-9dd0B4dddc7b Block executable files from running unless they meet a prevalence, age, or trusted list criteria | 01443614-cd74-433a-b99e-2ecdc07bfc25 Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35 Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md index 98835fdcfd..325b6119b3 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.localizationpriority: medium ms.author: justinha author: brianlic-msft -ms.date: 08/08/2018 +ms.date: 11/15/2018 --- # Enable virtualization-based protection of code integrity @@ -42,7 +42,7 @@ Enabling in Intune requires using the Code Integrity node in the [AppLocker CSP] 1. Use Group Policy Editor (gpedit.msc) to either edit an existing GPO or create a new one. 2. Navigate to **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard**. 3. Double-click **Turn on Virtualization Based Security**. -4. Click **Enabled** and under **Virtualization Based Protection of Code Integrity**, select **Enabled with UEFI lock** to ensure HVCI cannot be enabled remotely or select **Enabled without UEFI lock**. +4. Click **Enabled** and under **Virtualization Based Protection of Code Integrity**, select **Enabled with UEFI lock** to ensure HVCI cannot be disabled remotely or select **Enabled without UEFI lock**. ![Enable HVCI using Group Policy](images\enable-hvci-gp.png) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md index a143ed81a3..290fbdaae4 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 10/02/2018 +ms.date: 11/16/2018 --- # Evaluate attack surface reduction rules @@ -22,164 +22,14 @@ ms.date: 10/02/2018 Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients. -This topic helps you evaluate attack surface reduction rules. It explains how to demo ASR rules using a specialized tool, and how to enable audit mode so you can test the feature directly in your organization. - ->[!NOTE] ->This topic uses a customized testing tool and PowerShell cmdlets to make it easy to enable the feature and test it. ->For instructions on how to use Group Policy, Mobile Device Management (MDM), and System Center Configuration Manager to deploy these settings across your network, see the main [Attack surface reduction topic](attack-surface-reduction-exploit-guard.md). +This topic helps you evaluate attack surface reduction rules. It explains how to enable audit mode so you can test the feature directly in your organization. >[!TIP] >You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. -## Use the demo tool to see how attack surface reduction rules work - -Use the **ExploitGuard ASR test tool** app to see how attack surface reduction rules are applied in certain key protection and high-risk scenarios. These scenarios are typical infection vectors for malware that use exploits to spread and infect machines. - -The tool is part of the Windows Defender Exploit Guard evaluation package: -- [Download the Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) - -This tool has a simple user interface that lets you choose a rule, configure it in blocking, audit, or disabled mode, and run a pre-created series of actions that would be evaluated by the rule. - -When you run a scenario, you will see what the scenario entails, what the rule is set to, and what actions were taken. - -![Screenshot of the Exploit guard demo tool](images/asr-test-tool.png) - -Each scenario creates a fake or sample file or behavior that the rule would target and, if the rule was enabled, block from running. - ->[!IMPORTANT] ->The settings you change while using this tool will be cleared when you close the tool. If you want to test the feature in a production environment, you should consider using [audit mode to measure impact](#use-audit-mode-to-measure-impact), or see the main [Attack surface reduction topic](attack-surface-reduction-exploit-guard.md). - -**Run a rule using the demo tool:** - -1. Open the Exploit Guard Evaluation Package and copy the file *ExploitGuard ASR test tool* to a location on your PC that is easy to access (such as your desktop). - -2. Run the tool by double-clicking the version that matches your operating system - either 64-bit (x64) or 32-bit (x86). If a Windows Defender SmartScreen notification appears, click **More details** and then **Run anyway**. - - - >[!IMPORTANT] - >Make sure you use the version of the tool that is appropriate for the machine you are using. Use the x86 version for 32-bit versions of Windows 10, or use the x64 version for 64-bit versions of Windows 10. - -3. Select the rule from the drop-down menu. - -4. Select the mode, **Disabled**, **Block**, or **Audit**. - 1. Optionally, click **Show Advanced Options** and choose a specific scenario (or all scenarios sequentially by selecting **All Scenarios**), enter a delay, or click **Leave Dirty**. - -5. Click **RunScenario**. - -The scenario will run, and an output will appear describing the steps taken. - -You can right-click on the output window and click **Open Event Viewer** to see the relevant event in Windows Event Viewer. - ->[!TIP] ->You can click **Save Filter to Custom View...** in the Event Viewer to create a custom view so you can easily come back to this view as you continue to evaluate rules. - - -Choosing the **Mode** will change how the rule functions: - -Mode option | Description --|- -Disabled | The rule will not fire and no event will be recorded. This is the same as if you had not enabled attack surface reduction rules at all. -Block | The rule will fire and the suspicious behavior will be blocked from running. An event will be recorded in the event log. This is the same as if you had enabled attack surface reduction rules. -Audit | The rule wil fire, but the suspicious behavior will **not** be blocked from running. An event will be recorded in the event log as if the rule did block the behavior. This allows you to see how attack surface reduction rules will work but without impacting how you use the computer. - -Block mode will cause a notification to appear on the user's desktop: - -![Example notification that says Action blocked: Your IT administrator caused Windows Defender Antivirus to block this action. Contact your IT desk.](images/asr-notif.png) - -You can [modify the notification to display your company name and links](customize-attack-surface-reduction.md#customize-the-notification) for users to obtain more information or contact your IT help desk. - -For further details on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md). - -The following sections describe what each rule does and what the scenarios entail for each rule. - -### Rule: Block executable content from email client and webmail - -This rule blocks certain files from being run or launched from an email. You can specify an individual scenario, based on the category of the file type or whether the email is in Microsoft Outlook or web mail. - -The following table describes the category of the file type that will be blocked and the source of the email for each scenario in this rule: - -Scenario name | File type | Program -- | - | - -Random | A scenario will be randomly chosen from this list | Microsoft Outlook or web mail -Mail Client PE | Executable files (such as .exe, .dll, or .scr) | Microsoft Outlook -Mail Client Script | Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) | Microsoft Outlook -Mail Client Script Archive | Script archive files | Microsoft Outlook -WebMail PE | Executable files (such as .exe, .dll, or .scr) | Web mail, such as gmail, outlook, hotmail -WebMail Script | Script files (such as a PowerShell .ps, VBScript .vbs, or JavaScript .js file) | Web mail -WebMail Script Archive | Script archive files | Web mail - - -### Rule: Block Office applications from creating child processes - ->[!NOTE] ->There is only one scenario to test for this rule. - -Office apps, such as Word or Excel, will not be allowed to create child processes. This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables. - -### Rule: Block Office applications from creating executable content - -This rule targets typical behaviors used by suspicious and malicious add-ons and scripts that create or launch executable files. This is a typical malware technique. - -The following scenarios can be individually chosen: - -- Random - - A scenario will be randomly chosen from this list -- Extension Block - - Extensions will be blocked from being used by Office apps. Typically these extensions use the Windows Scripting Host (.wsh files) to run scripts that automate certain tasks or provide user-created add-on features. - -### Rule: Block Office applications from injecting into other processes - ->[!NOTE] ->There is only one scenario to test for this rule. - -Office apps, such as Word, Excel, or PowerPoint, will not be able to inject code into other processes. This is typically used by malware to run malicious code in an attempt to hide the activity from antivirus scanning engines. - -### Rule: Impede JavaScript and VBScript to launch executables - -JavaScript and VBScript scripts can be used by malware to launch other malicious apps. This rule prevents these scripts from being allowed to launch apps, thus preventing malicious use of the scripts to spread malware and infect machines. - -- Random - - A scenario will be randomly chosen from this list -- JScript - - JavaScript will not be allowed to launch executable files -- VBScript - - VBScript will not be allowed to launch executable files - -### Rule: Block execution of potentially obfuscated scripts - -Malware and other threats can attempt to obfuscate or hide their malicious code in some script files. This rule prevents scripts that appear to be obfuscated from running. - -- Random - - A scenario will be randomly chosen from this list -- AntiMalwareScanInterface - - This scenario uses the [AntiMalwareScanInterface (AMSI)](https://msdn.microsoft.com/library/windows/desktop/dn889587(v=vs.85).aspx) to determine if a script is potentially obfuscated, and then blocks such a script -- OnAccess - - Potentially obfuscated scripts will be blocked when an attempt is made to access them - - -## Review Attack surface reduction events in Windows Event Viewer - -You can also review the Windows event log to see the events there were created when using the tool. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-attack-surface-reduction-events). - -1. Type **Event viewer** in the Start menu to open the Windows Event Viewer. - -2. On the left panel, under **Actions**, click **Import custom view...** - -3. Navigate to the Exploit Guard Evaluation Package, and select the file *asr-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md). - -4. Click **OK**. - -5. This will create a custom view that filters to only show the following events related to Attack surface reduction: - -Event ID | Description --|- -5007 | Event when settings are changed -1122 | Event when rule fires in Audit-mode -1121 | Event when rule fires in Block-mode - ## Use audit mode to measure impact -You can also enable the Attack surface reduction feature in audit mode. This lets you see a record of what apps would have been blocked if you had enabled the feature. +You can enable attack surface reduction rules in audit mode. This lets you see a record of what apps would have been blocked if you had enabled attack surface reduction rules. You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how often the rules will fire during normal use. @@ -189,17 +39,17 @@ To enable audit mode, use the following PowerShell cmdlet: Set-MpPreference -AttackSurfaceReductionRules_Actions AuditMode ``` -This enables all Attack surface reduction rules in audit mode. +This enables all attack surface reduction rules in audit mode. >[!TIP] ->If you want to fully audit how Attack surface reduction will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s). -You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Attack surface reduction topic](attack-surface-reduction-exploit-guard.md). +>If you want to fully audit how attack surface reduction rules will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s). +You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Attack surface reduction rules topic](attack-surface-reduction-exploit-guard.md). ## Customize attack surface reduction rules During your evaluation, you may wish to configure each rule individualy or exclude certain files and processes from being evaluated by the feature. -See the [Customize Exploit protection](customize-exploit-protection.md) topic for information on configuring the feature with management tools, including Group Policy and MDM CSP policies. +See the [Customize attack surface reduction rules](customize-attack-surface-reduction.md) topic for information on configuring the feature with management tools, including Group Policy and MDM CSP policies. ## Related topics - [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md index f30804cbd0..3357f3a4fc 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 10/02/2018 +ms.date: 11/16/2018 --- # Evaluate controlled folder access @@ -24,70 +24,11 @@ ms.date: 10/02/2018 It is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/wdsi/threats/ransomware) that can attempt to encrypt your files and hold them hostage. -This topic helps you evaluate controlled folder access. It explains how to demo the feature using a specialized tool, and how to enable audit mode so you can test the feature directly in your organization. - ->[!NOTE] ->This topic uses PowerShell cmdlets to make it easy to enable the feature and test it. ->For instructions on how to use Group Policy, Mobile Device Management (MDM), and System Center Configuration Manager to deploy these settings across your network, see the main [Controlled folder access topic](controlled-folders-exploit-guard.md). +This topic helps you evaluate controlled folder access. It explains how to enable audit mode so you can test the feature directly in your organization. >[!TIP] >You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. -## Use the demo tool to see how controlled folder access works - -Use the **ExploitGuard CFA File Creator** tool to see how controlled folder access can prevent a suspicious app from creating files in protected folders. - -The tool is part of the Windows Defender Exploit Guard evaluation package: -- [Download the Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) - -This tool can be run locally on an individual machine to see the typical behavior of controlled folder access. The tool is considered by Windows Defender ATP to be suspicious and will be blocked from creating new files or making changes to existing files in any of your protected folders. - -You can enable controlled folder access, run the tool, and see what the experience is like when a suspicious app is prevented from accessing or modifying files in protected folders. - -1. Type **powershell** in the Start menu. - -2. Right-click **Windows PowerShell**, click **Run as administrator** and click **Yes** or enter admin credentials at the prompt. - -3. Enter the following in the PowerShell window to enable Controlled folder access: - ```PowerShell - Set-MpPreference -EnableControlledFolderAccess Enabled - ``` - -4. Open the Exploit Guard Evaluation Package and copy the file *ExploitGuard CFA File Creator.exe* to a location on your PC that is easy to access (such as your desktop). - -5. Run the tool by double-clicking it. If a Windows Defender SmartScreen notification appears, click **More details** and then **Run anyway**. - -6. You'll be asked to specify a name and location for the file. You can choose anything you wish to test. - - ![Screenshot of the exploit guard demo tool](images/cfa-filecreator.png) - -7. A notification will appear, indicating that the tool was prevented from creating the file, as in the following example: - - ![Exampke notification that says Unauthorized changes blocked: Controlled folder access blocked (file name) from making changes to the folder (folder name)](images/cfa-notif.png) - -## Review controlled folder access events in Windows Event Viewer - -You can also review the Windows event log to see the events there were created when using the tool. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-attack-surface-reduction-events). - -1. Type **Event viewer** in the Start menu to open the Windows Event Viewer. - -2. On the left panel, under **Actions**, click **Import custom view...** - -3. Navigate to the Exploit Guard Evaluation Package, and select the file *cfa-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md). - -4. Click **OK**. - -5. This will create a custom view that filters to only show the following events related to Controlled folder access: - -Event ID | Description --|- -5007 | Event when settings are changed -1124 | Audited controlled folder access event -1123 | Blocked controlled folder access event -1127 | Blocked controlled folder access sector write block event -1128 | Audited controlled folder access sector write block event - - ## Use audit mode to measure impact You can enable the controlled folder access feature in audit mode. This lets you see a record of what *would* have happened if you had enabled the setting. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md index 1d7efe7b59..ec8690b50d 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 05/30/2018 +ms.date: 11/16/2018 --- # Evaluate exploit protection @@ -26,75 +26,9 @@ Many of the features that are part of the [Enhanced Mitigation Experience Toolki This topic helps you evaluate exploit protection. For more information about what exploit protection does and how to configure it for real-world deployment, see [Exploit protection](exploit-protection-exploit-guard.md). ->[!NOTE] ->This topic uses PowerShell cmdlets to make it easy to enable the feature and test it. ->For instructions about how to use Group Policy and Mobile Device Management (MDM to deploy these settings across your network, see [Exploit protection](exploit-protection-exploit-guard.md). - >[!TIP] >You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. -## Enable and validate an exploit protection mitigation - -For this demo you will enable the mitigation that prevents child processes from being created. You'll use Internet Explorer as the parent app. - -First, enable the mitigation using PowerShell, and then confirm that it has been applied in the Windows Security app: - -1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator** - -2. Enter the following cmdlet: - - ```PowerShell - Set-ProcessMitigation -Name iexplore.exe -Enable DisallowChildProcessCreation - ``` - -3. Open Windows Security by clicking the shield icon in the task bar or searching the Start menu for **Defender**. - -4. Click the **App & browser control** tile (or the app icon on the left menu bar) and then **Exploit protection settings** at the bottom of the screen. - -5. Go to the **Program settings** section, scroll down, click **iexplore.exe**, and then **Edit**. - -6. Find the **Do not allow child processes** setting and make sure that **Override System settings** is enabled and the switch is set to **On**. - -Now that you know the mitigation has been enabled, you can test to see if it works and what the experience would be for an end user: - -1. Type **run** in the Start menu and press **Enter** to open the run dialog box. - -2. Type **iexplore.exe** and press **Enter** or click **OK** to attempt to open Internet Explorer. - -3. Internet Explorer should briefly open and then immediately shut down again, indicating that the mitigation was applied and prevented Internet Explorer from opening a child process (its own process). - -Lastly, we can disable the mitigation so that Internet Explorer works properly again: - -1. Open Windows Security by clicking the shield icon in the task bar or searching the Start menu for **Defender**. - -2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then **Exploit protection settings** at the bottom of the screen. - -3. Go to the **Program settings** section, scroll down, click **iexplore.exe**, and then **Edit**. - -4. Find the **Do not allow child processes** setting and set the switch to **Off**. Click **Apply** - -5. Validate that Internet Explorer runs by running it from the run dialog box again. It should open as expected. - -## Review exploit protection events in Windows Event Viewer - -You can now review the events that exploit protection sent to the Windows Event Viewer to confirm what happened. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-attack-surface-reduction-events). - -1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *ep-events.xml* to an easily accessible location on the machine. - -2. Type **Event viewer** in the Start menu to open the Windows Event Viewer. - -3. On the left panel, under **Actions**, click **Import custom view...** - -4. Navigate to where you extracted *ep-events.xml* and select it. Alternatively, [copy the XML directly](event-views-exploit-guard.md). - -4. Click **OK**. - -5. This will create a custom view that filters to only show the events related to exploit protection. - -6. The specific event to look for in this demo is event ID 4, which should have the following or similar information: - - Process '\Device\HarddiskVolume1\Program Files\Internet Explorer\iexplore.exe' (PID 4692) was blocked from creating a child process 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' with command line '"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4692 CREDAT:75009 /prefetch:2'. - ## Use audit mode to measure impact You can enable exploit protection in audit mode. You can enable audit mode for individual mitigations. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md index 995cbaeb50..9c5516c1de 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 08/09/2018 +ms.date: 11/16/2018 --- # Evaluate network protection @@ -39,7 +39,7 @@ This topic helps you evaluate Network protection by enabling the feature and gui Set-MpPreference -EnableNetworkProtection Enabled ``` -You can also carry out the processes described in this topic in audit or disabled mode to see how the feature will work. Use the same PowerShell cmdlet as above, but replace `Enabled` with either `AuditMode` or `Disabled`. +You can also carry out the processes described in this topic in audit or disabled mode to see how the feature will work. Use the same PowerShell cmdlet as above, but replace "Enabled" with either "AuditMode" or "Disabled". ### Visit a (fake) malicious domain diff --git a/windows/whats-new/whats-new-windows-10-version-1803.md b/windows/whats-new/whats-new-windows-10-version-1803.md index effaa35bd4..622cbcdd98 100644 --- a/windows/whats-new/whats-new-windows-10-version-1803.md +++ b/windows/whats-new/whats-new-windows-10-version-1803.md @@ -234,4 +234,4 @@ Support in [Windows Defender Application Guard](#windows-defender-application-gu [What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.
      [What's new in Windows 10, version 1709](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-windows): See what’s new in Windows 10 hardware.
      [Windows 10 Fall Creators Update Next Generation Security](https://www.youtube.com/watch?v=JDGMNFwyUg8): YouTube video about Windows Defender ATP in Windows 10, version 1709. -[How to take a screenshot on pc without any app](https://rahulit.com/how-to-take-a-screenshot-on-a-dell-laptop/) +