diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index e8aa9bae33..dc7228cc3e 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -6741,6 +6741,11 @@ "redirect_document_id": true }, { +"source_path": "windows/configuration/multi-app-kiosk-troubleshoot.md", +"redirect_url": "/windows/configuration/kiosk-troubleshoot", +"redirect_document_id": true +}, +{ "source_path": "windows/configure/lock-down-windows-10-to-specific-apps.md", "redirect_url": "/windows/configuration/lock-down-windows-10-to-specific-apps", "redirect_document_id": true diff --git a/devices/surface-hub/create-a-device-account-using-office-365.md b/devices/surface-hub/create-a-device-account-using-office-365.md index 0ac57ede0d..dc313f8f5d 100644 --- a/devices/surface-hub/create-a-device-account-using-office-365.md +++ b/devices/surface-hub/create-a-device-account-using-office-365.md @@ -83,7 +83,7 @@ Install the following module in Powershell ``` syntax install-module AzureAD Install-module MsOnline - ``` +``` ### Connecting to online services diff --git a/devices/surface/change-history-for-surface.md b/devices/surface/change-history-for-surface.md index 5c34d22900..5e2329f8c0 100644 --- a/devices/surface/change-history-for-surface.md +++ b/devices/surface/change-history-for-surface.md @@ -7,13 +7,18 @@ ms.sitesec: library author: jdeckerms ms.author: jdecker ms.topic: article -ms.date: 11/15/2018 --- # Change history for Surface documentation This topic lists new and updated topics in the Surface documentation library. +## January 2019 + +New or changed topic | Description +--- | --- +|[Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md) | Added Surface Studio 2 | + ## November 2018 New or changed topic | Description diff --git a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md index 52a92a6ef7..1d736b1ece 100644 --- a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md +++ b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md @@ -9,7 +9,6 @@ ms.mktglfcycl: deploy ms.pagetype: surface, devices ms.sitesec: library author: brecords -ms.date: 11/15/2018 ms.author: jdecker ms.topic: article --- @@ -89,6 +88,12 @@ Download the following updates for [Surface Studio from the Microsoft Download C * SurfaceStudio_Win10_xxxxx_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10 +## Surface Studio 2 + +Download the following updates for [Surface Studio 2 from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=57593). + +* SurfaceStudio2_Win10_xxxxx_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10 + ## Surface Book diff --git a/devices/surface/images/surface-ent-mgmt-fig1-uefi-configurator.png b/devices/surface/images/surface-ent-mgmt-fig1-uefi-configurator.png index 7ed392d31d..e8fb93a1a7 100644 Binary files a/devices/surface/images/surface-ent-mgmt-fig1-uefi-configurator.png and b/devices/surface/images/surface-ent-mgmt-fig1-uefi-configurator.png differ diff --git a/devices/surface/images/surface-ent-mgmt-fig2-securepackage.png b/devices/surface/images/surface-ent-mgmt-fig2-securepackage.png index a1316359d3..fa47419ca0 100644 Binary files a/devices/surface/images/surface-ent-mgmt-fig2-securepackage.png and b/devices/surface/images/surface-ent-mgmt-fig2-securepackage.png differ diff --git a/devices/surface/images/surface-ent-mgmt-fig3-enabledisable.png b/devices/surface/images/surface-ent-mgmt-fig3-enabledisable.png index 39b0c797e7..0a34907def 100644 Binary files a/devices/surface/images/surface-ent-mgmt-fig3-enabledisable.png and b/devices/surface/images/surface-ent-mgmt-fig3-enabledisable.png differ diff --git a/devices/surface/images/surface-ent-mgmt-fig4-advancedsettings.png b/devices/surface/images/surface-ent-mgmt-fig4-advancedsettings.png index 405e8c4d7e..f425466056 100644 Binary files a/devices/surface/images/surface-ent-mgmt-fig4-advancedsettings.png and b/devices/surface/images/surface-ent-mgmt-fig4-advancedsettings.png differ diff --git a/devices/surface/images/surface-ent-mgmt-fig5-success.png b/devices/surface/images/surface-ent-mgmt-fig5-success.png index 508f76533c..e671570fee 100644 Binary files a/devices/surface/images/surface-ent-mgmt-fig5-success.png and b/devices/surface/images/surface-ent-mgmt-fig5-success.png differ diff --git a/devices/surface/microsoft-surface-data-eraser.md b/devices/surface/microsoft-surface-data-eraser.md index 5a35a44360..23e0c2dd91 100644 --- a/devices/surface/microsoft-surface-data-eraser.md +++ b/devices/surface/microsoft-surface-data-eraser.md @@ -57,6 +57,9 @@ Some scenarios where Microsoft Surface Data Eraser can be helpful include: >[!NOTE] >Because the ability to boot to USB is required to run Microsoft Surface Data Eraser, if the device is not configured to boot from USB or if the device is unable to boot or POST successfully, the Microsoft Surface Data Eraser tool will not function. +>[!NOTE] +>Surface Data Eraser on Surface Studio and Surface Studio 2 can take up to 6 minutes to boot into WinPE before disk erasure can occur. + ## How to create a Microsoft Surface Data Eraser USB stick diff --git a/devices/surface/surface-enterprise-management-mode.md b/devices/surface/surface-enterprise-management-mode.md index fee03a26b2..e42a925b72 100644 --- a/devices/surface/surface-enterprise-management-mode.md +++ b/devices/surface/surface-enterprise-management-mode.md @@ -17,7 +17,7 @@ ms.date: 01/06/2017 Microsoft Surface Enterprise Management Mode (SEMM) is a feature of Surface devices with Surface UEFI that allows you to secure and manage firmware settings within your organization. With SEMM, IT professionals can prepare configurations of UEFI settings and install them on a Surface device. In addition to the ability to configure UEFI settings, SEMM also uses a certificate to protect the configuration from unauthorized tampering or removal. >[!NOTE] ->SEMM is only available on devices with Surface UEFI firmware, such as Surface Pro 4, Surface Book, and Surface Studio. For more information about Surface UEFI, see [Manage Surface UEFI Settings](https://technet.microsoft.com/itpro/surface/manage-surface-uefi-settings). +>SEMM is only available on devices with Surface UEFI firmware such as Surface Pro 4 and later, Surface Go, Surface Laptop, Surface Book, and Surface Studio. For more information about Surface UEFI, see [Manage Surface UEFI Settings](https://technet.microsoft.com/itpro/surface/manage-surface-uefi-settings). When Surface devices are configured by SEMM and secured with the SEMM certificate, they are considered *enrolled* in SEMM. When the SEMM certificate is removed and control of UEFI settings is returned to the user of the device, the Surface device is considered *unenrolled* in SEMM. @@ -25,7 +25,7 @@ There are two administrative options you can use to manage SEMM and enrolled Sur ## Microsoft Surface UEFI Configurator -The primary workspace of SEMM is Microsoft Surface UEFI Configurator, as shown in Figure 1. Microsoft Surface UEFI Configurator is a tool that is used to create Windows Installer (.msi) packages that are used to enroll, configure, and unenroll SEMM on a Surface device. These packages contain a configuration file where the settings for UEFI are specified. SEMM packages also contain a certificate that is installed and stored in firmware and used to verify the signature of configuration files before UEFI settings are applied. +The primary workspace of SEMM is Microsoft Surface UEFI Configurator, as shown in Figure 1. Microsoft Surface UEFI Configurator is a tool that is used to create Windows Installer (.msi) packages or WinPE images that are used to enroll, configure, and unenroll SEMM on a Surface device. These packages contain a configuration file where the settings for UEFI are specified. SEMM packages also contain a certificate that is installed and stored in firmware and used to verify the signature of configuration files before UEFI settings are applied. ![Microsoft Surface UEFI Configurator](images\surface-ent-mgmt-fig1-uefi-configurator.png "Microsoft Surface UEFI Configurator") @@ -74,14 +74,15 @@ You can enable or disable the following devices with SEMM: * Docking USB Port * On-board Audio +* DGPU * Type Cover -* Micro SD or SD Card Slots +* Micro SD Card * Front Camera * Rear Camera * Infrared Camera, for Windows Hello * Bluetooth Only * Wi-Fi and Bluetooth -* Trusted Platform Module (TPM) +* LTE You can configure the following advanced settings with SEMM: @@ -89,9 +90,12 @@ You can configure the following advanced settings with SEMM: * Alternate boot order, where the Volume Down button and Power button can be pressed together during boot, to boot directly to a USB or Ethernet device * Lock the boot order to prevent changes * Support for booting to USB devices +* Enable Network Stack boot settings +* Enable Auto Power On boot settings * Display of the Surface UEFI **Security** page * Display of the Surface UEFI **Devices** page * Display of the Surface UEFI **Boot** page +* Display of the Surface UEFI **DateTime** page >[!NOTE] >When you create a SEMM configuration package, two characters are shown on the **Successful** page, as shown in Figure 5. @@ -116,7 +120,7 @@ These characters are the last two characters of the certificate thumbprint and s >6. **All** or **Properties Only** must be selected in the **Show** drop-down menu. >7. Select the field **Thumbprint**. -To enroll a Surface device in SEMM or to apply the UEFI configuration from a configuration package, all you need to do is run the .msi file on the intended Surface device. You can use application deployment or operating system deployment technologies such as [System Center Configuration Manager](https://technet.microsoft.com/library/mt346023) or the [Microsoft Deployment Toolkit](https://technet.microsoft.com/windows/dn475741). When you enroll a device in SEMM you must be present to confirm the enrollment on the device. User interaction is not required when you apply a configuration to devices that are already enrolled in SEMM. +To enroll a Surface device in SEMM or to apply the UEFI configuration from a configuration package, all you need to do is run the .msi file with administrative privileges on the intended Surface device. You can use application deployment or operating system deployment technologies such as [System Center Configuration Manager](https://technet.microsoft.com/library/mt346023) or the [Microsoft Deployment Toolkit](https://technet.microsoft.com/windows/dn475741). When you enroll a device in SEMM you must be present to confirm the enrollment on the device. User interaction is not required when you apply a configuration to devices that are already enrolled in SEMM. For a step-by-step walkthrough of how to enroll a Surface device in SEMM or apply a Surface UEFI configuration with SEMM, see [Enroll and configure Surface devices with SEMM](https://technet.microsoft.com/itpro/surface/enroll-and-configure-surface-devices-with-semm). @@ -189,6 +193,37 @@ For use with SEMM and Microsoft Surface UEFI Configurator, the certificate must >[!NOTE] >For organizations that use an offline root in their PKI infrastructure, Microsoft Surface UEFI Configurator must be run in an environment connected to the root CA to authenticate the SEMM certificate. The packages generated by Microsoft Surface UEFI Configurator can be transferred as files and therefore can be transferred outside the offline network environment with removable storage, such as a USB stick. +### Managing certificates FAQ + +The recommended *minimum* length is 15 months. You can use a +certificate that expires in less than 15 months or use a certificate +that expires in longer than 15 months. + +>[!NOTE] +>When a certificate expires, it does not automatically renew. + +**Will existing machines continue to apply the bios settings after 15 +months?** + +Yes, but only if the package itself was signed when the certificate was +valid. + +**Will** **the SEMM package and certificate need to be updated on all +machines that have it?** + +If you want SEMM reset or recovery to work, the certificate needs to be +valid and not expired. You can use the current valid ownership +certificate to sign a package that updates to a new certificate for +ownership. You do not need to create a reset package. + +**Can bulk reset packages be created for each surface that we order? Can +one be built that resets all machines in our environment?** + +The PowerShell samples that create a config package for a specific +device type can also be used to create a reset package that is +serial-number independent. If the certificate is still valid, you can +create a reset package using PowerShell to reset SEMM. + ## Version History ### Version 2.26.136.0 diff --git a/education/get-started/change-history-ms-edu-get-started.md b/education/get-started/change-history-ms-edu-get-started.md index 97ddde85fb..0110254868 100644 --- a/education/get-started/change-history-ms-edu-get-started.md +++ b/education/get-started/change-history-ms-edu-get-started.md @@ -2,8 +2,7 @@ title: Change history for Microsoft Education Get Started description: New and changed topics in the Microsoft Education get started guide. keywords: Microsoft Education get started guide, IT admin, IT pro, school, education, change history -ms.prod: w10 -ms.technology: Windows +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: edu diff --git a/education/get-started/configure-microsoft-store-for-education.md b/education/get-started/configure-microsoft-store-for-education.md index caf9b51520..6da930b66d 100644 --- a/education/get-started/configure-microsoft-store-for-education.md +++ b/education/get-started/configure-microsoft-store-for-education.md @@ -3,7 +3,6 @@ title: Configure Microsoft Store for Education description: Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices. keywords: education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, School Data Sync, Microsoft Teams, Microsoft Store for Education, Azure AD, Set up School PCs ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.topic: get-started diff --git a/education/get-started/enable-microsoft-teams.md b/education/get-started/enable-microsoft-teams.md index bab1e61628..5d3af7dc3d 100644 --- a/education/get-started/enable-microsoft-teams.md +++ b/education/get-started/enable-microsoft-teams.md @@ -3,7 +3,6 @@ title: Enable Microsoft Teams for your school description: Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices. keywords: education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, School Data Sync, Microsoft Teams, Microsoft Store for Education, Azure AD, Set up School PCs ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.topic: get-started diff --git a/education/get-started/finish-setup-and-other-tasks.md b/education/get-started/finish-setup-and-other-tasks.md index b15394f6ac..120b357bc2 100644 --- a/education/get-started/finish-setup-and-other-tasks.md +++ b/education/get-started/finish-setup-and-other-tasks.md @@ -3,7 +3,6 @@ title: Finish Windows 10 device setup and other tasks description: Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices. keywords: education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, School Data Sync, Microsoft Teams, Microsoft Store for Education, Azure AD, Set up School PCs ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.topic: get-started diff --git a/education/get-started/get-started-with-microsoft-education.md b/education/get-started/get-started-with-microsoft-education.md index 39dad1f8e4..6df81f8b27 100644 --- a/education/get-started/get-started-with-microsoft-education.md +++ b/education/get-started/get-started-with-microsoft-education.md @@ -3,7 +3,6 @@ title: Deploy and manage a full cloud IT solution with Microsoft Education description: Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices. keywords: education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, School Data Sync, Microsoft Teams, Microsoft Store for Education, Azure AD, Set up School PCs ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.topic: hero-article diff --git a/education/get-started/set-up-office365-edu-tenant.md b/education/get-started/set-up-office365-edu-tenant.md index 82ee6a90cd..01a5f5b4a9 100644 --- a/education/get-started/set-up-office365-edu-tenant.md +++ b/education/get-started/set-up-office365-edu-tenant.md @@ -3,7 +3,6 @@ title: Set up an Office 365 Education tenant description: Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices. keywords: education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, School Data Sync, Microsoft Teams, Microsoft Store for Education, Azure AD, Set up School PCs ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.topic: get-started diff --git a/education/get-started/set-up-windows-10-education-devices.md b/education/get-started/set-up-windows-10-education-devices.md index 5b79384b77..a62a0e282d 100644 --- a/education/get-started/set-up-windows-10-education-devices.md +++ b/education/get-started/set-up-windows-10-education-devices.md @@ -3,7 +3,6 @@ title: Set up Windows 10 education devices description: Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices. keywords: education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, School Data Sync, Microsoft Teams, Microsoft Store for Education, Azure AD, Set up School PCs ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.topic: get-started diff --git a/education/get-started/set-up-windows-education-devices.md b/education/get-started/set-up-windows-education-devices.md index ba8630edd9..e1f8ef557e 100644 --- a/education/get-started/set-up-windows-education-devices.md +++ b/education/get-started/set-up-windows-education-devices.md @@ -3,7 +3,6 @@ title: Set up Windows 10 devices using Windows OOBE description: Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices. keywords: education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, School Data Sync, Microsoft Teams, Microsoft Store for Education, Azure AD, Set up School PCs ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.topic: get-started diff --git a/education/get-started/use-intune-for-education.md b/education/get-started/use-intune-for-education.md index baef903733..d1ab32cfa9 100644 --- a/education/get-started/use-intune-for-education.md +++ b/education/get-started/use-intune-for-education.md @@ -3,7 +3,6 @@ title: Use Intune for Education to manage groups, apps, and settings description: Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices. keywords: education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, School Data Sync, Microsoft Teams, Microsoft Store for Education, Azure AD, Set up School PCs ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.topic: get-started diff --git a/education/get-started/use-school-data-sync.md b/education/get-started/use-school-data-sync.md index f880134137..f2bcfb50f9 100644 --- a/education/get-started/use-school-data-sync.md +++ b/education/get-started/use-school-data-sync.md @@ -3,7 +3,6 @@ title: Use School Data Sync to import student data description: Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices. keywords: education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, School Data Sync, Microsoft Teams, Microsoft Store for Education, Azure AD, Set up School PCs ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.topic: get-started diff --git a/education/images/M365-education.svg b/education/images/M365-education.svg index 7f83629296..9591f90f68 100644 --- a/education/images/M365-education.svg +++ b/education/images/M365-education.svg @@ -1,4 +1,4 @@ - +
diff --git a/education/trial-in-a-box/educator-tib-get-started.md b/education/trial-in-a-box/educator-tib-get-started.md index 652ef9e87c..0861f90f74 100644 --- a/education/trial-in-a-box/educator-tib-get-started.md +++ b/education/trial-in-a-box/educator-tib-get-started.md @@ -3,7 +3,6 @@ title: Educator Trial in a Box Guide description: Need help or have a question about using Microsoft Education? Start here. keywords: support, troubleshooting, education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, Microsoft Store for Education, Set up School PCs ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.topic: article @@ -162,7 +161,7 @@ Use video to create a project summary. 1. Check you have the latest version of Microsoft Photos. Open the **Start** menu and search for **Store**. Select the **See more** button (**…**) and select **Downloads and updates**. Select **Get updates**. -2. Open Microsoft Edge and visit http://aka.ms/PhotosTIB to download a zip file of the project media. +2. Open Microsoft Edge and visit https://aka.ms/PhotosTIB to download a zip file of the project media. 3. Once the download has completed, open the zip file and select **Extract** > **Extract all**. Select **Browse** and choose the **Pictures** folder as the destination, and then select **Extract**. diff --git a/education/trial-in-a-box/images/it-admin1.svg b/education/trial-in-a-box/images/it-admin1.svg index f69dc4d324..695337f601 100644 --- a/education/trial-in-a-box/images/it-admin1.svg +++ b/education/trial-in-a-box/images/it-admin1.svg @@ -1,8 +1,8 @@ - + - diff --git a/education/trial-in-a-box/images/student1.svg b/education/trial-in-a-box/images/student1.svg index 832a1214ae..25c267bae9 100644 --- a/education/trial-in-a-box/images/student1.svg +++ b/education/trial-in-a-box/images/student1.svg @@ -1,8 +1,8 @@ - + - diff --git a/education/trial-in-a-box/images/student2.svg b/education/trial-in-a-box/images/student2.svg index 6566eab49b..5d473d1baf 100644 --- a/education/trial-in-a-box/images/student2.svg +++ b/education/trial-in-a-box/images/student2.svg @@ -1,8 +1,8 @@ - + - diff --git a/education/trial-in-a-box/images/teacher1.svg b/education/trial-in-a-box/images/teacher1.svg index 7db5c7dd32..00feb1e22a 100644 --- a/education/trial-in-a-box/images/teacher1.svg +++ b/education/trial-in-a-box/images/teacher1.svg @@ -1,8 +1,8 @@ - + - diff --git a/education/trial-in-a-box/images/teacher2.svg b/education/trial-in-a-box/images/teacher2.svg index e4f1cd4b74..592c516120 100644 --- a/education/trial-in-a-box/images/teacher2.svg +++ b/education/trial-in-a-box/images/teacher2.svg @@ -1,8 +1,8 @@ - + - diff --git a/education/trial-in-a-box/index.md b/education/trial-in-a-box/index.md index 4a891bb989..c91f1c0264 100644 --- a/education/trial-in-a-box/index.md +++ b/education/trial-in-a-box/index.md @@ -3,7 +3,6 @@ title: Microsoft Education Trial in a Box description: For IT admins, educators, and students, discover what you can do with Microsoft 365 Education. Try it out with our Trial in a Box program. keywords: education, Microsoft 365 Education, trial, full cloud IT solution, school, deploy, setup, IT admin, educator, student, explore, Trial in a Box ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.topic: article diff --git a/education/trial-in-a-box/itadmin-tib-get-started.md b/education/trial-in-a-box/itadmin-tib-get-started.md index a8ba174071..49d37afbff 100644 --- a/education/trial-in-a-box/itadmin-tib-get-started.md +++ b/education/trial-in-a-box/itadmin-tib-get-started.md @@ -3,7 +3,6 @@ title: IT Admin Trial in a Box Guide description: Try out Microsoft 365 Education to implement a full cloud infrastructure for your school, manage devices and apps, and configure and deploy policies to your Windows 10 devices. keywords: education, Microsoft 365 Education, trial, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, Microsoft Store for Education ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.topic: get-started diff --git a/education/trial-in-a-box/support-options.md b/education/trial-in-a-box/support-options.md index 11a23af4ec..cc82641391 100644 --- a/education/trial-in-a-box/support-options.md +++ b/education/trial-in-a-box/support-options.md @@ -3,7 +3,6 @@ title: Microsoft Education Trial in a Box Support description: Need help or have a question about using Microsoft Education Trial in a Box? Start here. keywords: support, troubleshooting, education, Microsoft 365 Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, Microsoft Store for Education, Set up School PCs ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.topic: article diff --git a/education/windows/autopilot-reset.md b/education/windows/autopilot-reset.md index 8a5441c5cc..3ab4c50a66 100644 --- a/education/windows/autopilot-reset.md +++ b/education/windows/autopilot-reset.md @@ -3,7 +3,6 @@ title: Reset devices with Autopilot Reset description: Gives an overview of Autopilot Reset and how you can enable and use it in your schools. keywords: Autopilot Reset, Windows 10, education ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: edu diff --git a/education/windows/change-history-edu.md b/education/windows/change-history-edu.md index 76c3513812..4185c9baae 100644 --- a/education/windows/change-history-edu.md +++ b/education/windows/change-history-edu.md @@ -3,7 +3,6 @@ title: Change history for Windows 10 for Education (Windows 10) description: New and changed topics in Windows 10 for Education keywords: Windows 10 education documentation, change history ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: edu diff --git a/education/windows/change-to-pro-education.md b/education/windows/change-to-pro-education.md index d6bd7cb98c..58dcd89d1e 100644 --- a/education/windows/change-to-pro-education.md +++ b/education/windows/change-to-pro-education.md @@ -3,7 +3,6 @@ title: Change to Windows 10 Education from Windows 10 Pro description: Learn how IT Pros can opt into changing to Windows 10 Pro Education from Windows 10 Pro. keywords: change, free change, Windows 10 Pro to Windows 10 Pro Education, Windows 10 Pro to Windows 10 Pro Education, education customers, Windows 10 Pro Education, Windows 10 Pro ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: edu diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md index 5ca42d662f..e981deb743 100644 --- a/education/windows/chromebook-migration-guide.md +++ b/education/windows/chromebook-migration-guide.md @@ -4,7 +4,6 @@ description: In this guide you will learn how to migrate a Google Chromebook-bas ms.assetid: 7A1FA48A-C44A-4F59-B895-86D4D77F8BEA keywords: migrate, automate, device, Chromebook migration ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu, devices diff --git a/education/windows/configure-windows-for-education.md b/education/windows/configure-windows-for-education.md index 25b1199a54..9d1acc0a3c 100644 --- a/education/windows/configure-windows-for-education.md +++ b/education/windows/configure-windows-for-education.md @@ -5,7 +5,6 @@ keywords: Windows 10 deployment, recommendations, privacy settings, school, educ ms.mktglfcycl: plan ms.sitesec: library ms.prod: w10 -ms.technology: Windows ms.pagetype: edu ms.localizationpriority: medium author: CelesteDG @@ -149,7 +148,7 @@ For example: ![Set SetEduPolicies to True in Windows Configuration Designer](images/setedupolicies_wcd.png) ## Ad-free search with Bing -Provide an ad-free experience that is a safer, more private search option for K–12 education institutions in the United States. Additional information is available at http://www.bing.com/classroom/about-us. +Provide an ad-free experience that is a safer, more private search option for K–12 education institutions in the United States. Additional information is available at https://www.bing.com/classroom/about-us. > [!NOTE] > If you enable the guest account in shared PC mode, students using the guest account will not have an ad-free experience searching with Bing in Microsoft Edge unless the PC is connected to your school network and your school network has been configured as described in [IP registration for entire school network using Microsoft Edge](#ip-registration-for-entire-school-network-using-microsoft-edge). diff --git a/education/windows/create-tests-using-microsoft-forms.md b/education/windows/create-tests-using-microsoft-forms.md index 3b0c7b4e62..a5fdfd4970 100644 --- a/education/windows/create-tests-using-microsoft-forms.md +++ b/education/windows/create-tests-using-microsoft-forms.md @@ -2,8 +2,7 @@ title: Create tests using Microsoft Forms description: Learn how to use Microsoft Forms with the Take a Test app to prevent access to other computers or online resources while completing a test. keywords: school, Take a Test, Microsoft Forms -ms.prod: w10 -ms.technology: Windows +ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md index f33287b723..b8897a3042 100644 --- a/education/windows/deploy-windows-10-in-a-school-district.md +++ b/education/windows/deploy-windows-10-in-a-school-district.md @@ -3,7 +3,6 @@ title: Deploy Windows 10 in a school district (Windows 10) description: Learn how to deploy Windows 10 in a school district. Integrate the school environment with Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD), use System Center Configuration Manager, Intune, and Group Policy to manage devices. keywords: configure, tools, device, school district, deploy Windows 10 ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: plan ms.pagetype: edu ms.sitesec: library diff --git a/education/windows/deploy-windows-10-in-a-school.md b/education/windows/deploy-windows-10-in-a-school.md index d430864463..d226f570db 100644 --- a/education/windows/deploy-windows-10-in-a-school.md +++ b/education/windows/deploy-windows-10-in-a-school.md @@ -3,7 +3,6 @@ title: Deploy Windows 10 in a school (Windows 10) description: Learn how to integrate your school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD). Deploy Windows 10 and apps to new devices or upgrade existing devices to Windows 10. Manage faculty, students, and devices by using Microsoft Intune and Group Policy. keywords: configure, tools, device, school, deploy Windows 10 ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: plan ms.pagetype: edu ms.sitesec: library diff --git a/education/windows/edu-deployment-recommendations.md b/education/windows/edu-deployment-recommendations.md index 17435853f2..82c72e22f5 100644 --- a/education/windows/edu-deployment-recommendations.md +++ b/education/windows/edu-deployment-recommendations.md @@ -8,8 +8,7 @@ ms.localizationpriority: medium author: CelesteDG ms.author: celested ms.date: 10/13/2017 -ms.prod: W10 -ms.technology: Windows +ms.prod: w10 --- # Deployment recommendations for school IT administrators diff --git a/education/windows/education-scenarios-store-for-business.md b/education/windows/education-scenarios-store-for-business.md index d90e41f458..af93be32ee 100644 --- a/education/windows/education-scenarios-store-for-business.md +++ b/education/windows/education-scenarios-store-for-business.md @@ -2,7 +2,7 @@ title: Education scenarios Microsoft Store for Education description: Learn how IT admins and teachers can use Microsoft Store for Education to acquire and manage apps in schools. keywords: school, Microsoft Store for Education, Microsoft education store -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library ms.localizationpriority: medium @@ -10,8 +10,7 @@ searchScope: - Store author: trudyha ms.author: trudyha -ms.date: 3/30/2018 -ms.technology: Windows +ms.date: 03/30/2018 --- # Working with Microsoft Store for Education diff --git a/education/windows/enable-s-mode-on-surface-go-devices.md b/education/windows/enable-s-mode-on-surface-go-devices.md index a184220261..f58a24b82c 100644 --- a/education/windows/enable-s-mode-on-surface-go-devices.md +++ b/education/windows/enable-s-mode-on-surface-go-devices.md @@ -3,13 +3,12 @@ title: Enable S mode on Surface Go devices for Education description: Steps that an education customer can perform to enable S mode on Surface Go devices keywords: Surface Go for Education, S mode ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: edu ms.localizationpriority: medium author: kaushika-msft -ms.author: +ms.author: kaushik ms.date: 07/30/2018 --- @@ -54,8 +53,8 @@ process](https://docs.microsoft.com/windows/deployment/windows-10-deployment-sce publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" - xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + xmlns:wcm="https://schemas.microsoft.com/WMIConfig/2002/State" + xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance"> 1 @@ -100,8 +99,8 @@ Education customers who wish to avoid the additional overhead associated with Wi publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" - xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + xmlns:wcm="https://schemas.microsoft.com/WMIConfig/2002/State" + xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance"> 1 diff --git a/education/windows/get-minecraft-device-promotion.md b/education/windows/get-minecraft-device-promotion.md index 6fb8b22725..d0b001b4b7 100644 --- a/education/windows/get-minecraft-device-promotion.md +++ b/education/windows/get-minecraft-device-promotion.md @@ -2,7 +2,7 @@ title: Get Minecraft Education Edition with your Windows 10 device promotion description: Windows 10 device promotion for Minecraft Education Edition licenses keywords: school, Minecraft, education edition -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library ms.localizationpriority: medium @@ -11,7 +11,6 @@ searchScope: - Store ms.author: trudyha ms.date: 06/05/2018 -ms.technology: Windows --- # Get Minecraft: Education Edition with Windows 10 device promotion diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md index 11aeea97ed..aadf84aabc 100644 --- a/education/windows/get-minecraft-for-education.md +++ b/education/windows/get-minecraft-for-education.md @@ -2,7 +2,7 @@ title: Get Minecraft Education Edition description: Learn how to get and distribute Minecraft Education Edition. keywords: school, Minecraft, education edition -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library ms.localizationpriority: medium @@ -11,7 +11,6 @@ searchScope: - Store ms.author: trudyha ms.date: 07/27/2017 -ms.technology: Windows ms.topic: conceptual --- @@ -22,7 +21,7 @@ ms.topic: conceptual - Windows 10 -[Minecraft: Education Edition](http://education.minecraft.net/) is built for learning. Watch this video to learn more about Minecraft. +[Minecraft: Education Edition](https://education.minecraft.net/) is built for learning. Watch this video to learn more about Minecraft. diff --git a/education/windows/index.md b/education/windows/index.md index 5f82e1d09a..d30a753c88 100644 --- a/education/windows/index.md +++ b/education/windows/index.md @@ -3,7 +3,6 @@ title: Windows 10 for Education (Windows 10) description: Learn how to use Windows 10 in schools. keywords: Windows 10, education ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: edu diff --git a/education/windows/s-mode-switch-to-edu.md b/education/windows/s-mode-switch-to-edu.md index e9dabad759..363cc0b93e 100644 --- a/education/windows/s-mode-switch-to-edu.md +++ b/education/windows/s-mode-switch-to-edu.md @@ -5,7 +5,6 @@ keywords: Windows 10 S switch, S mode Switch, switch in S mode, Switch S mode, W ms.mktglfcycl: deploy ms.localizationpriority: medium ms.prod: w10 -ms.technology: Windows ms.sitesec: library ms.pagetype: edu ms.date: 12/03/2018 diff --git a/education/windows/school-get-minecraft.md b/education/windows/school-get-minecraft.md index d2daacd44e..2def962415 100644 --- a/education/windows/school-get-minecraft.md +++ b/education/windows/school-get-minecraft.md @@ -2,7 +2,7 @@ title: For IT administrators get Minecraft Education Edition description: Learn how IT admins can get and distribute Minecraft in their schools. keywords: Minecraft, Education Edition, IT admins, acquire -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library ms.localizationpriority: medium @@ -10,8 +10,7 @@ author: trudyha searchScope: - Store ms.author: trudyha -ms.date: 1/5/2018 -ms.technology: Windows +ms.date: 01/05/2018 ms.topic: conceptual --- @@ -21,7 +20,7 @@ ms.topic: conceptual - Windows 10 -When you sign up for a [Minecraft: Education Edition](http://education.minecraft.net) trial, or purchase a [Minecraft: Education Edition](http://education.minecraft.net) subscription. Minecraft will be added to the inventory in your Microsoft Store for Education which is associated with your Azure Active Directory (Azure AD) tenant. Your Microsoft Store for Education is only displayed to members of your organization. +When you sign up for a [Minecraft: Education Edition](https://education.minecraft.net) trial, or purchase a [Minecraft: Education Edition](https://education.minecraft.net) subscription. Minecraft will be added to the inventory in your Microsoft Store for Education which is associated with your Azure Active Directory (Azure AD) tenant. Your Microsoft Store for Education is only displayed to members of your organization. >[!Note] >If you don't have an Azure AD or Office 365 tenant, you can set up a free Office 365 Education subscription when you request Minecraft: Education Edition. For more information see [Office 365 Education plans and pricing](https://products.office.com/academic/compare-office-365-education-plans). @@ -34,7 +33,7 @@ If you’ve been approved and are part of the Enrollment for Education Solutions ### Minecraft: Education Edition - direct purchase -1. Go to [http://education.minecraft.net/](http://education.minecraft.net/) and select **GET STARTED**. +1. Go to [https://education.minecraft.net/](https://education.minecraft.net/) and select **GET STARTED**. diff --git a/education/windows/set-up-school-pcs-azure-ad-join.md b/education/windows/set-up-school-pcs-azure-ad-join.md index 16b59b9799..4a0081092e 100644 --- a/education/windows/set-up-school-pcs-azure-ad-join.md +++ b/education/windows/set-up-school-pcs-azure-ad-join.md @@ -3,7 +3,6 @@ title: Azure AD Join with Setup School PCs app description: Describes how Azure AD Join is configured in the Set up School PCs app. keywords: shared cart, shared PC, school, set up school pcs ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu diff --git a/education/windows/set-up-school-pcs-provisioning-package.md b/education/windows/set-up-school-pcs-provisioning-package.md index 021860eac7..e362f372b9 100644 --- a/education/windows/set-up-school-pcs-provisioning-package.md +++ b/education/windows/set-up-school-pcs-provisioning-package.md @@ -3,7 +3,6 @@ title: What's in Set up School PCs provisioning package description: Lists the provisioning package settings that are configured in the Set up School PCs app. keywords: shared cart, shared PC, school, set up school pcs ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu diff --git a/education/windows/set-up-school-pcs-shared-pc-mode.md b/education/windows/set-up-school-pcs-shared-pc-mode.md index 6276de2a50..3b3a9148a0 100644 --- a/education/windows/set-up-school-pcs-shared-pc-mode.md +++ b/education/windows/set-up-school-pcs-shared-pc-mode.md @@ -3,7 +3,6 @@ title: Shared PC mode for school devices description: Describes how shared PC mode is set for devices set up with the Set up School PCs app. keywords: shared cart, shared PC, school, set up school pcs ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md index d826440afe..957af5e711 100644 --- a/education/windows/set-up-school-pcs-technical.md +++ b/education/windows/set-up-school-pcs-technical.md @@ -3,7 +3,6 @@ title: Set up School PCs app technical reference overview description: Describes the purpose of the Set up School PCs app for Windows 10 devices. keywords: shared cart, shared PC, school, set up school pcs ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu diff --git a/education/windows/set-up-school-pcs-whats-new.md b/education/windows/set-up-school-pcs-whats-new.md index e942cf9a0a..b1f56ae163 100644 --- a/education/windows/set-up-school-pcs-whats-new.md +++ b/education/windows/set-up-school-pcs-whats-new.md @@ -3,7 +3,6 @@ title: What's new in the Windows Set up School PCs app description: Find out about app updates and new features in Set up School PCs. keywords: shared cart, shared PC, school, set up school pcs ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu diff --git a/education/windows/set-up-students-pcs-to-join-domain.md b/education/windows/set-up-students-pcs-to-join-domain.md index 0f59dd6be5..a14aa4c69b 100644 --- a/education/windows/set-up-students-pcs-to-join-domain.md +++ b/education/windows/set-up-students-pcs-to-join-domain.md @@ -2,8 +2,7 @@ title: Set up student PCs to join domain description: Learn how to use Configuration Designer to easily provision student devices to join Active Directory. keywords: school, student PC setup, Windows Configuration Designer -ms.prod: W10 -ms.technology: Windows +ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library ms.localizationpriority: medium diff --git a/education/windows/set-up-students-pcs-with-apps.md b/education/windows/set-up-students-pcs-with-apps.md index 32c2f71bbb..77b6702db0 100644 --- a/education/windows/set-up-students-pcs-with-apps.md +++ b/education/windows/set-up-students-pcs-with-apps.md @@ -3,7 +3,6 @@ title: Provision student PCs with apps description: Learn how to use Configuration Designer to easily provision student devices to join Active Directory. keywords: shared cart, shared PC, school, provision PCs with apps, Windows Configuration Designer ms.prod: w10 -ms.technology: Windows ms.pagetype: edu ms.mktglfcycl: plan ms.sitesec: library diff --git a/education/windows/set-up-windows-10.md b/education/windows/set-up-windows-10.md index 90bffc1644..f4f62a27f3 100644 --- a/education/windows/set-up-windows-10.md +++ b/education/windows/set-up-windows-10.md @@ -3,7 +3,6 @@ title: Set up Windows devices for education description: Decide which option for setting up Windows 10 is right for you. keywords: school, Windows device setup, education device setup ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: edu diff --git a/education/windows/take-a-test-app-technical.md b/education/windows/take-a-test-app-technical.md index c444c9f842..8cfa0f104d 100644 --- a/education/windows/take-a-test-app-technical.md +++ b/education/windows/take-a-test-app-technical.md @@ -3,7 +3,6 @@ title: Take a Test app technical reference description: The policies and settings applied by the Take a Test app. keywords: take a test, test taking, school, policies ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu @@ -24,7 +23,7 @@ Take a Test is an app that locks down the PC and displays an online assessment w Whether you are a teacher or IT administrator, you can easily configure Take a Test to meet your testing needs. For high-stakes tests, the app creates a browser-based, locked-down environment for more secure online assessments. This means that students taking the tests that don’t have copy/paste privileges, can’t access to files and applications, and are free from distractions. For simple tests and quizzes, Take a Test can be configured to use the teacher’s preferred assessment website to deliver digital assessments -Assessment vendors can use Take a Test as a platform to lock down the operating system. Take a Test supports the [SBAC browser API standard](http://www.smarterapp.org/documents/SecureBrowserRequirementsSpecifications_0-3.pdf) for high stakes common core testing. For more information, see [Take a Test Javascript API](https://docs.microsoft.com/windows/uwp/apps-for-education/take-a-test-api). +Assessment vendors can use Take a Test as a platform to lock down the operating system. Take a Test supports the [SBAC browser API standard](https://www.smarterapp.org/documents/SecureBrowserRequirementsSpecifications_0-3.pdf) for high stakes common core testing. For more information, see [Take a Test Javascript API](https://docs.microsoft.com/windows/uwp/apps-for-education/take-a-test-api). ## PC lockdown for assessment diff --git a/education/windows/take-a-test-multiple-pcs.md b/education/windows/take-a-test-multiple-pcs.md index 3c4d28cb04..c08098f28d 100644 --- a/education/windows/take-a-test-multiple-pcs.md +++ b/education/windows/take-a-test-multiple-pcs.md @@ -3,7 +3,6 @@ title: Set up Take a Test on multiple PCs description: Learn how to set up and use the Take a Test app on multiple PCs. keywords: take a test, test taking, school, set up on multiple PCs ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu @@ -29,7 +28,7 @@ To configure a dedicated test account on multiple PCs, select any of the followi - [Configuration in Intune for Education](#set-up-a-test-account-in-intune-for-education) - [Mobile device management (MDM) or Microsoft System Center Configuration Manager](#set-up-a-test-account-in-mdm-or-configuration-manager) - [Provisioning package created through Windows Configuration Designer](#set-up-a-test-account-through-windows-configuration-designer) -- [Group Policy to deploy a scheduled task that runs a Powershell script](#set-up-a-test-account-in-group-policy) +- [Group Policy to deploy a scheduled task that runs a Powershell script](https://docs.microsoft.com/education/windows/take-a-test-multiple-pcs#create-a-scheduled-task-in-group-policy) ### Set up a test account in the Set up School PCs app If you want to set up a test account using the Set up School PCs app, configure the settings in the **Set up the Take a Test app** page in the Set up School PCs app. Follow the instructions in [Use the Set up School PCs app](use-set-up-school-pcs-app.md) to configure the test-taking account and create a provisioning package. @@ -169,7 +168,7 @@ This sample PowerShell script configures the tester account and the assessment U ``` $obj = get-wmiobject -namespace root/cimv2/mdm/dmmap -class MDM_SecureAssessment -filter "InstanceID='SecureAssessment' AND ParentID='./Vendor/MSFT'"; -$obj.LaunchURI='http://www.foo.com'; +$obj.LaunchURI='https://www.foo.com'; $obj.TesterAccount='TestAccount'; $obj.put() Set-AssignedAccess -AppUserModelId Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App -UserName TestAccount @@ -266,7 +265,7 @@ Once the shortcut is created, you can copy it and distribute it to students. ## Assessment URLs This assessment URL uses our lockdown API: -- SBAC/AIR: [http://mobile.tds.airast.org/launchpad/](http://mobile.tds.airast.org/launchpad/). +- SBAC/AIR: [https://mobile.tds.airast.org/launchpad/](https://mobile.tds.airast.org/launchpad/). ## Related topics diff --git a/education/windows/take-a-test-single-pc.md b/education/windows/take-a-test-single-pc.md index 666b4d00a1..43ab25e727 100644 --- a/education/windows/take-a-test-single-pc.md +++ b/education/windows/take-a-test-single-pc.md @@ -3,7 +3,6 @@ title: Set up Take a Test on a single PC description: Learn how to set up and use the Take a Test app on a single PC. keywords: take a test, test taking, school, set up on single PC ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu diff --git a/education/windows/take-tests-in-windows-10.md b/education/windows/take-tests-in-windows-10.md index 7dfc8d1034..bede949a26 100644 --- a/education/windows/take-tests-in-windows-10.md +++ b/education/windows/take-tests-in-windows-10.md @@ -3,7 +3,6 @@ title: Take tests in Windows 10 description: Learn how to set up and use the Take a Test app. keywords: take a test, test taking, school, how to, use Take a Test ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu diff --git a/education/windows/teacher-get-minecraft.md b/education/windows/teacher-get-minecraft.md index 87afbb458f..b5f3145c61 100644 --- a/education/windows/teacher-get-minecraft.md +++ b/education/windows/teacher-get-minecraft.md @@ -2,8 +2,7 @@ title: For teachers get Minecraft Education Edition description: Learn how teachers can get and distribute Minecraft. keywords: school, Minecraft, Education Edition, educators, teachers, acquire, distribute -ms.prod: W10 -ms.technology: Windows +ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library ms.localizationpriority: medium @@ -11,7 +10,7 @@ author: trudyha searchScope: - Store ms.author: trudyha -ms.date: 1/5/2018 +ms.date: 01/05/2018 ms.topic: conceptual --- @@ -24,13 +23,13 @@ ms.topic: conceptual The following article describes how teachers can get and distribute Minecraft: Education Edition. Minecraft: Education Edition is available for anyone to trial, and subscriptions can be purchased by qualified educational institutions directly in the Microsoft Store for Education, via volume licensing agreements and through partner resellers. -To get started, go to http://education.minecraft.net/ and select **GET STARTED**. +To get started, go to https://education.minecraft.net/ and select **GET STARTED**. ## Try Minecraft: Education Edition for Free Minecraft: Education Edition is available for anyone to try for free! The free trial is fully-functional but limited by the number of logins (25 for teachers and 10 for students) before a paid license will be required to continue playing. -To learn more and get started, go to http://education.minecraft.net/ and select **GET STARTED**. +To learn more and get started, go to https://education.minecraft.net/ and select **GET STARTED**. ## Purchase Minecraft: Education Edition for Teachers and Students diff --git a/education/windows/test-windows10s-for-edu.md b/education/windows/test-windows10s-for-edu.md index 29964738e0..ac962a298b 100644 --- a/education/windows/test-windows10s-for-edu.md +++ b/education/windows/test-windows10s-for-edu.md @@ -4,7 +4,6 @@ description: Provides guidance on downloading and testing Windows 10 in S mode f keywords: Windows 10 in S mode, try, download, school, education, Windows 10 in S mode installer, existing Windows 10 education devices ms.mktglfcycl: deploy ms.prod: w10 -ms.technology: Windows ms.pagetype: edu ms.sitesec: library ms.localizationpriority: medium @@ -80,21 +79,21 @@ Check with your device manufacturer before trying Windows 10 in S mode on your d | | | | | - | - | - | -| Acer | Alldocube | American Future Tech | -| ASBISC | Asus | Atec | -| Axdia | Casper | Cyberpower | -| Daewoo | Daten | Dell | -| Epson | EXO | Fujitsu | -| Getac | Global K | Guangzhou | -| HP | Huawei | I Life | -| iNET | Intel | LANIT Trading | -| Lenovo | LG | MCJ | -| Micro P/Exertis | Microsoft | MSI | -| Panasonic | PC Arts | Positivo SA | -| Positivo da Bahia | Samsung | Teclast | -| Thirdwave | Tongfang | Toshiba | -| Trekstor | Trigem | Vaio | -| Wortmann | Yifang | | +| Acer | Alldocube | American Future Tech | +| ASBISC | Asus | Atec | +| Axdia | Casper | Cyberpower | +| Daewoo | Daten | Dell | +| Epson | EXO | Fujitsu | +| Getac | Global K | Guangzhou | +| HP | Huawei | I Life | +| iNET | Intel | LANIT Trading | +| Lenovo | LG | MCJ | +| Micro P/Exertis | Microsoft | MSI | +| Panasonic | PC Arts | Positivo SA | +| Positivo da Bahia | Samsung | Teclast | +| Thirdwave | Tongfang | Toshiba | +| Trekstor | Trigem | Vaio | +| Wortmann | Yifang | | > [!NOTE] > If you don't see any device listed on the manufacturer's web site, check back again later as more devices get added in the future. diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md index ad1e1eb9e2..46f5b99026 100644 --- a/education/windows/use-set-up-school-pcs-app.md +++ b/education/windows/use-set-up-school-pcs-app.md @@ -3,7 +3,6 @@ title: Use Set up School PCs app description: Learn how to use the Set up School PCs app and apply the provisioning package. keywords: shared cart, shared PC, school, Set up School PCs, overview, how to use ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: edu diff --git a/education/windows/windows-editions-for-education-customers.md b/education/windows/windows-editions-for-education-customers.md index 77282ce61d..d37d3c1d20 100644 --- a/education/windows/windows-editions-for-education-customers.md +++ b/education/windows/windows-editions-for-education-customers.md @@ -3,7 +3,6 @@ title: Windows 10 editions for education customers description: Provides an overview of the two Windows 10 editions that are designed for the needs of K-12 institutions. keywords: Windows 10 Pro Education, Windows 10 Education, Windows 10 editions, education customers ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu @@ -21,7 +20,7 @@ ms.date: 10/13/2017 Windows 10, version 1607 (Anniversary Update) continues our commitment to productivity, security, and privacy for all customers. Windows 10 Pro and Windows 10 Enterprise offer the functionality and safety features demanded by business and education customers around the globe. Windows 10 is the most secure Windows we’ve ever built. All of our Windows commercial editions can be configured to support the needs of schools, through group policies, domain join, and more. To learn more about Microsoft’s commitment to security and privacy in Windows 10, see more on both [security](https://go.microsoft.com/fwlink/?LinkId=822619) and [privacy](https://go.microsoft.com/fwlink/?LinkId=822620). -Beginning with version 1607, Windows 10 offers a variety of new features and functionality, such as simplified provisioning with the [Set up School PCs app](https://go.microsoft.com/fwlink/?LinkID=821951) or [Windows Configuration Designer](https://go.microsoft.com/fwlink/?LinkId=822623), easier delivery of digital assessments with [Take a Test](https://go.microsoft.com/fwlink/?LinkID=821956), and faster log in performance for shared devices than ever before. These features work with all Windows for desktop editions, excluding Windows 10 Home. You can find more information on [windows.com](http://www.windows.com/). +Beginning with version 1607, Windows 10 offers a variety of new features and functionality, such as simplified provisioning with the [Set up School PCs app](https://go.microsoft.com/fwlink/?LinkID=821951) or [Windows Configuration Designer](https://go.microsoft.com/fwlink/?LinkId=822623), easier delivery of digital assessments with [Take a Test](https://go.microsoft.com/fwlink/?LinkID=821956), and faster log in performance for shared devices than ever before. These features work with all Windows for desktop editions, excluding Windows 10 Home. You can find more information on [windows.com](https://www.windows.com/). Windows 10, version 1607 introduces two editions designed for the unique needs of K-12 institutions: [Windows 10 Pro Education](#windows-10-pro-education) and [Windows 10 Education](#windows-10-education). These editions provide education-specific default settings for the evolving landscape in K-12 education IT environments. diff --git a/mdop/appv-v4/best-practices-for-the-application-virtualization-sequencer-sp1.md b/mdop/appv-v4/best-practices-for-the-application-virtualization-sequencer-sp1.md index 899bf80cdd..f36bf3a87b 100644 --- a/mdop/appv-v4/best-practices-for-the-application-virtualization-sequencer-sp1.md +++ b/mdop/appv-v4/best-practices-for-the-application-virtualization-sequencer-sp1.md @@ -67,7 +67,7 @@ The following best practices should be considered when sequencing a new applicat   - **Sequence to a unique directory that follows the 8.3 naming convention.** +- **Sequence to a unique directory that follows the 8.3 naming convention.** You should sequence all applications to a directory that follows the 8.3 naming convention. The specified directory name cannot contain more than eight characters, followed by a three-character file name extension—for example, **Q:\\MYAPP.ABC**. diff --git a/mdop/mbam-v25/mbam-25-security-considerations.md b/mdop/mbam-v25/mbam-25-security-considerations.md index 76a6a6c45c..37c627b035 100644 --- a/mdop/mbam-v25/mbam-25-security-considerations.md +++ b/mdop/mbam-v25/mbam-25-security-considerations.md @@ -32,7 +32,7 @@ This topic contains the following information about how to secure Microsoft BitL ## Configure MBAM to escrow the TPM and store OwnerAuth passwords -**Note** For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addition, Windows will not retain the TPM owner password when provisioning the TPM. See [TPM owner password](https://technet.microsoft.com/itpro/windows/keep-secure/change-the-tpm-owner-password) for further details. +**Note** For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addition, Windows will not retain the TPM owner password when provisioning the TPM. See [TPM owner password](https://docs.microsoft.com/windows/security/information-protection/tpm/change-the-tpm-owner-password) for further details. Depending on its configuration, the Trusted Platform Module (TPM) will lock itself in certain situations ─ such as when too many incorrect passwords are entered ─ and can remain locked for a period of time. During TPM lockout, BitLocker cannot access the encryption keys to perform unlock or decryption operations, requiring the user to enter their BitLocker recovery key to access the operating system drive. To reset TPM lockout, you must provide the TPM OwnerAuth password. @@ -40,7 +40,7 @@ MBAM can store the TPM OwnerAuth password in the MBAM database if it owns the TP ### Escrowing TPM OwnerAuth in Windows 8 and higher -**Note** For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addiiton, Windows will not retain the TPM owner password when provisioning the TPM. See [TPM owner password](https://technet.microsoft.com/itpro/windows/keep-secure/change-the-tpm-owner-password) for further details. +**Note** For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addiiton, Windows will not retain the TPM owner password when provisioning the TPM. See [TPM owner password](https://docs.microsoft.com/windows/security/information-protection/tpm/change-the-tpm-owner-password) for further details. In Windows 8 or higher, MBAM no longer must own the TPM to store the OwnerAuth password, as long as the OwnerAuth is available on the local machine. diff --git a/windows/access-protection/docfx.json b/windows/access-protection/docfx.json index 4d805de5fe..f27666d0fd 100644 --- a/windows/access-protection/docfx.json +++ b/windows/access-protection/docfx.json @@ -36,7 +36,6 @@ "ms.technology": "windows", "ms.topic": "article", "ms.author": "justinha", - "ms.date": "04/05/2017", "_op_documentIdPathDepotMapping": { "./": { "depot_name": "MSDN.win-access-protection" diff --git a/windows/application-management/docfx.json b/windows/application-management/docfx.json index 7d3ae2dae2..5c20bbd8a7 100644 --- a/windows/application-management/docfx.json +++ b/windows/application-management/docfx.json @@ -36,7 +36,6 @@ "ms.technology": "windows", "ms.topic": "article", "ms.author": "elizapo", - "ms.date": "04/05/2017", "feedback_system": "GitHub", "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", diff --git a/windows/client-management/TOC.md b/windows/client-management/TOC.md index 1ae7911088..d3c28bfc73 100644 --- a/windows/client-management/TOC.md +++ b/windows/client-management/TOC.md @@ -12,19 +12,19 @@ ## [Windows 10 Mobile deployment and management guide](windows-10-mobile-and-mdm.md) ## [Windows libraries](windows-libraries.md) ## [Troubleshoot Windows 10 clients](windows-10-support-solutions.md) -### [Advanced troubleshooting for Windows networking issues](troubleshoot-networking.md) -#### [Advanced troubleshooting Wireless Network Connectivity](advanced-troubleshooting-wireless-network-connectivity.md) -#### [Data collection for troubleshooting 802.1x Authentication](data-collection-for-802-authentication.md) -#### [Advanced troubleshooting 802.1x authentication](advanced-troubleshooting-802-authentication.md) -### [Advanced troubleshooting for TCP/IP](troubleshoot-tcpip.md) -#### [Collect data using Network Monitor](troubleshoot-tcpip-netmon.md) -#### [Troubleshoot TCP/IP connectivity](troubleshoot-tcpip-connectivity.md) -#### [Troubleshoot port exhaustion issues](troubleshoot-tcpip-port-exhaust.md) -#### [Troubleshoot Remote Procedure Call (RPC) errors](troubleshoot-tcpip-rpc-errors.md) -### [Advanced troubleshooting for Windows start-up issues](troubleshoot-windows-startup.md) +### [Advanced troubleshooting for Windows networking](troubleshoot-networking.md) +#### [Advanced troubleshooting Wireless network connectivity](advanced-troubleshooting-wireless-network-connectivity.md) +#### [Advanced troubleshooting 802.1X authentication](advanced-troubleshooting-802-authentication.md) +##### [Data collection for troubleshooting 802.1X authentication](data-collection-for-802-authentication.md) +#### [Advanced troubleshooting for TCP/IP](troubleshoot-tcpip.md) +##### [Collect data using Network Monitor](troubleshoot-tcpip-netmon.md) +##### [Troubleshoot TCP/IP connectivity](troubleshoot-tcpip-connectivity.md) +##### [Troubleshoot port exhaustion](troubleshoot-tcpip-port-exhaust.md) +##### [Troubleshoot Remote Procedure Call (RPC) errors](troubleshoot-tcpip-rpc-errors.md) +### [Advanced troubleshooting for Windows startup](troubleshoot-windows-startup.md) #### [Advanced troubleshooting for Windows boot problems](advanced-troubleshooting-boot-problems.md) -#### [Advanced troubleshooting for Windows-based computer freeze issues](troubleshoot-windows-freeze.md) -#### [Advanced troubleshooting for Stop error or blue screen error issue](troubleshoot-stop-errors.md) -#### [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](troubleshoot-inaccessible-boot-device.md) +#### [Advanced troubleshooting for Windows-based computer freeze](troubleshoot-windows-freeze.md) +#### [Advanced troubleshooting for stop error or blue screen error](troubleshoot-stop-errors.md) +#### [Advanced troubleshooting for stop error 7B or Inaccessible_Boot_Device](troubleshoot-inaccessible-boot-device.md) ## [Mobile device management for solution providers](mdm/index.md) ## [Change history for Client management](change-history-for-client-management.md) diff --git a/windows/client-management/advanced-troubleshooting-802-authentication.md b/windows/client-management/advanced-troubleshooting-802-authentication.md index b1ab9770a3..24681f6db4 100644 --- a/windows/client-management/advanced-troubleshooting-802-authentication.md +++ b/windows/client-management/advanced-troubleshooting-802-authentication.md @@ -1,87 +1,118 @@ --- -title: Advanced Troubleshooting 802.1x Authentication -description: Learn how 802.1x Authentication works -keywords: advanced troubleshooting, 802.1x authentication, troubleshooting, authentication, Wi-Fi +title: Advanced Troubleshooting 802.1X Authentication +description: Learn how 802.1X Authentication works +keywords: advanced troubleshooting, 802.1X authentication, troubleshooting, authentication, Wi-Fi ms.prod: w10 ms.mktglfcycl: ms.sitesec: library author: kaushika-msft ms.localizationpriority: medium -ms.author: mikeblodge -ms.date: 10/29/2018 +ms.author: greg-lindsay --- -# Advanced Troubleshooting 802.1x Authentication +# Advanced troubleshooting 802.1X authentication ## Overview -This is a general troubleshooting of 802.1x wireless and wired clients. With -802.1x and Wireless troubleshooting, it's important to know how the flow of authentication works, and then figuring out where it's breaking. It involves a lot of third party devices and software. Most of the time, we have to identify where the problem is, and another vendor has to fix it. Since we don't make Access Points or Switches, it won't be an end-to-end Microsoft solution. + +This is a general troubleshooting of 802.1X wireless and wired clients. With 802.1X and wireless troubleshooting, it's important to know how the flow of authentication works, and then figuring out where it's breaking. It involves a lot of third party devices and software. Most of the time, we have to identify where the problem is, and another vendor has to fix it. Since we don't make access points or wwitches, it won't be an end-to-end Microsoft solution. -### Scenarios +## Scenarios + This troubleshooting technique applies to any scenario in which wireless or wired connections with 802.1X authentication is attempted and then fails to establish. The workflow covers Windows 7 - 10 for clients, and Windows Server 2008 R2 - 2012 R2 for NPS. -### Known Issues -N/A - -### Data Collection -[Advanced Troubleshooting 802.1x Authentication Data Collection](https://docs.microsoft.com/en-us/windows/client-management/data-collection-for-802-authentication) - -### Troubleshooting -- Viewing the NPS events in the Windows Security Event log is one of the most useful troubleshooting methods to obtain information about failed authentications. +## Known Issues -NPS event log entries contain information on the connection attempt, including the name of the connection request policy that matched the connection attempt and the network policy that accepted or rejected the connection attempt. NPS event logging for rejected or accepted connection is enabled by default. -Check Windows Security Event log on the NPS Server for NPS events corresponding to rejected (event ID 6273) or accepted (event ID 6272) connection attempts. +None -In the event message, scroll to the very bottom, and check the **Reason Code** field and the text associated with it. +## Data Collection + +See [Advanced troubleshooting 802.1X authentication data collection](data-collection-for-802-authentication.md). -![example of an audit failure](images/auditfailure.png) -*Example: event ID 6273 (Audit Failure)* +## Troubleshooting + +Viewing [NPS authentication status events](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735320(v%3dws.10)) in the Windows Security [event log](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc722404(v%3dws.11)) is one of the most useful troubleshooting methods to obtain information about failed authentications. + +NPS event log entries contain information on the connection attempt, including the name of the connection request policy that matched the connection attempt and the network policy that accepted or rejected the connection attempt. If you are not seeing both success and failure events, see the section below on [NPS audit policy](#audit-policy). + +Check Windows Security Event log on the NPS Server for NPS events corresponding to rejected ([event ID 6273](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735399(v%3dws.10))) or accepted ([event ID 6272](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735388(v%3dws.10))) connection attempts. + +In the event message, scroll to the very bottom, and check the [Reason Code](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197570(v%3dws.10)) field and the text associated with it. + + ![example of an audit failure](images/auditfailure.png) + *Example: event ID 6273 (Audit Failure)*

‎ -![example of an audit success](images/auditsuccess.png) -*Example: event ID 6272 (Audit Success)* + ![example of an audit success](images/auditsuccess.png) + *Example: event ID 6272 (Audit Success)*
-‎ -- The WLAN AutoConfig operational log lists information and error events based on conditions detected by or reported to the WLAN AutoConfig service. The operational log contains information about the wireless network adapter, the properties of the wireless connection profile, the specified network authentication, and, in the event of connectivity problems, the reason for the failure. For wired network access, Wired AutoConfig operational log is equivalent one. +‎The WLAN AutoConfig operational log lists information and error events based on conditions detected by or reported to the WLAN AutoConfig service. The operational log contains information about the wireless network adapter, the properties of the wireless connection profile, the specified network authentication, and, in the event of connectivity problems, the reason for the failure. For wired network access, Wired AutoConfig operational log is equivalent one. -On client side, navigate to the Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\WLAN-AutoConfig/Operational for wireless issue (for wired network access, ..\Wired-AutoConfig/Operational). +On the client side, navigate to **Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\WLAN-AutoConfig/Operational** for wireless issues. For wired network access issues, navigate to **..\Wired-AutoConfig/Operational**. See the following example: ![event viewer screenshot showing wired-autoconfig and WLAN autoconfig](images/eventviewer.png) -- Most 802.1X authentication issues is due to problems with the certificate which is used for client or server authentication (e.g. invalid certificate, expiration, chain verification failure, revocation check failure, etc.). +Most 802.1X authentication issues are due to problems with the certificate that is used for client or server authentication (e.g. invalid certificate, expiration, chain verification failure, revocation check failure, etc.). -First, make sure which type of EAP method is being used. +First, validate the type of EAP method being used: ![eap authentication type comparison](images/comparisontable.png) -- If a certificate is used for its authentication method, check if the certificate is valid. For server (NPS) side, you can confirm what certificate is being used from EAP property menu. See figure below. +If a certificate is used for its authentication method, check if the certificate is valid. For server (NPS) side, you can confirm what certificate is being used from the EAP property menu: ![Constraints tab of the secure wireless connections properties](images/eappropertymenu.png) -- The CAPI2 event log will be useful for troubleshooting certificate-related issues. -This log is not enabled by default. You can enable this log by navigating to the Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\CAPI2 directory and expand it, then right-click on the Operational view and click the Enable Log menu. +The CAPI2 event log will be useful for troubleshooting certificate-related issues. +This log is not enabled by default. You can enable this log by expanding **Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\CAPI2**, right-clicking **Operational** and then clicking **Enable Log**. -![screenshot of event viewer](images/eventviewer.png) +![screenshot of event viewer](images/capi.png) -You can refer to this article about how to analyze CAPI2 event logs. -[Troubleshooting PKI Problems on Windows Vista](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-vista/cc749296%28v=ws.10%29) -For detailed troubleshooting 802.1X authentication issues, it's important to understand 802.1X authentication process. The figure below is an example of wireless connection process with 802.1X authentication. +The following article explains how to analyze CAPI2 event logs: +[Troubleshooting PKI Problems on Windows Vista](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-vista/cc749296%28v=ws.10%29). -![aithenticatior flow chart](images/authenticator_flow_chart.png) - -- If you collect network packet capture on both a client and a NPS side, you can see the flow like below. Type **EAPOL** in Display Filter menu in Network Monitor for a client side and **EAP** for a NPS side. - -> [!NOTE] -> info not critical to a task If you also enable wireless scenario trace with network packet capture, you can see more detailed information on Network Monitor with **ONEX\_MicrosoftWindowsOneX** and **WLAN\_MicrosoftWindowsWLANAutoConfig** Network Monitor filtering applied. +When troubleshooting complex 802.1X authentication issues, it is important to understand the 802.1X authentication process. The following figure is an example of wireless connection process with 802.1X authentication: + +![authenticatior flow chart](images/authenticator_flow_chart.png) +If you [collect a network packet capture](troubleshoot-tcpip-netmon.md) on both the client and the server (NPS) side, you can see a flow like the one below. Type **EAPOL** in the Display Filter in for a client side capture, and **EAP** for an NPS side capture. See the following examples: ![client-side packet capture data](images/clientsidepacket_cap_data.png) -*Client-side packet capture data* +*Client-side packet capture data*

![NPS-side packet capture data](images/NPS_sidepacket_capture_data.png) -*NPS-side packet capture data* -‎ +*NPS-side packet capture data*
+‎ + +> [!NOTE] +> If you have a wireless trace, you can also [view ETL files with network monitor](https://docs.microsoft.com/windows/desktop/ndf/using-network-monitor-to-view-etl-files) and apply the **ONEX_MicrosoftWindowsOneX** and **WLAN_MicrosoftWindowsWLANAutoConfig** Network Monitor filters. Follow the instructions under the **Help** menu in Network Monitor to load the reqired [parser](https://blogs.technet.microsoft.com/netmon/2010/06/04/parser-profiles-in-network-monitor-3-4/) if needed. See the example below. + +![ETL parse](images/etl.png) + +## Audit policy + +NPS audit policy (event logging) for connection success and failure is enabled by default. If you find that one or both types of logging are disabled, use the following steps to troubleshoot. + +View the current audit policy settings by running the following command on the NPS server: +``` +auditpol /get /subcategory:"Network Policy Server" +``` + +If both success and failure events are enabled, the output should be: +
+System audit policy
+Category/Subcategory                      Setting
+Logon/Logoff
+  Network Policy Server                   Success and Failure
+
+ +If it shows ‘No auditing’, you can run this command to enable it: + +``` +auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable +``` + +Even if audit policy appears to be fully enabled, it sometimes helps to disable and then re-enable this setting. You can also enable Network Policy Server logon/logoff auditing via Group Policy. The success/failure setting can be found under **Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policies -> Logon/Logoff -> Audit Network Policy Server**. + ## Additional references -[Troubleshooting Windows Vista 802.11 Wireless Connections](https://technet.microsoft.com/ja-jp/library/cc766215%28v=ws.10%29.aspx) -[Troubleshooting Windows Vista Secure 802.3 Wired Connections](https://technet.microsoft.com/de-de/library/cc749352%28v=ws.10%29.aspx) +[Troubleshooting Windows Vista 802.11 Wireless Connections](https://technet.microsoft.com/library/cc766215%28v=ws.10%29.aspx)
+[Troubleshooting Windows Vista Secure 802.3 Wired Connections](https://technet.microsoft.com/library/cc749352%28v=ws.10%29.aspx) diff --git a/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md b/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md index 5647279113..412bbb99bc 100644 --- a/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md +++ b/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md @@ -7,30 +7,31 @@ ms.mktglfcycl: ms.sitesec: library author: kaushika-msft ms.localizationpriority: medium -ms.author: mikeblodge -ms.date: 10/29/2018 +ms.author: greg-lindsay --- -# Advanced Troubleshooting Wireless Network Connectivity + +# Advanced troubleshooting wireless network connectivity > [!NOTE] > Home users: This article is intended for use by support agents and IT professionals. If you're looking for more general information about Wi-Fi problems in Windows 10, check out this [Windows 10 Wi-Fi fix article](https://support.microsoft.com/en-in/help/4000432/windows-10-fix-wi-fi-problems). ## Overview -This is a general troubleshooting of establishing Wi-Fi connections from Windows Clients. + +This is a general troubleshooting of establishing Wi-Fi connections from Windows clients. Troubleshooting Wi-Fi connections requires understanding the basic flow of the Wi-Fi autoconnect state machine. Understanding this flow makes it easier to determine the starting point in a repro scenario in which a different behavior is found. This workflow involves knowledge and use of [TextAnalysisTool](https://github.com/TextAnalysisTool/Releases), an extensive text filtering tool that is useful with complex traces with numerous ETW providers such as wireless_dbg trace scenario. ## Scenarios -Any scenario in which Wi-Fi connections are attempted and fail to establish. The troubleshooter is developed with Windows 10 clients in focus, but also may be useful with traces as far back as Windows 7. +This article applies to any scenario in which Wi-Fi connections fail to establish. The troubleshooter is developed with Windows 10 clients in focus, but also may be useful with traces as far back as Windows 7. > [!NOTE] -> This troubleshooter uses examples that demonstrate a general strategy for navigating and interpreting wireless component ETW. It is not meant to be representative of every wireless problem scenario. +> This troubleshooter uses examples that demonstrate a general strategy for navigating and interpreting wireless component [Event Tracing for Windows](https://docs.microsoft.com/windows/desktop/etw/event-tracing-portal) (ETW). It is not meant to be representative of every wireless problem scenario. -Wireless ETW is incredibly verbose and calls out lots of innocuous errors (i.e. Not really errors so much as behaviors that are flagged and have nothing to do with the problem scenario). Simply searching for or filtering on "err", "error", and "fail" will seldom lead you to the root cause of a problematic Wi-Fi scenario. Instead it will flood the screen with meaningless logs that will obfuscate the context of the actual problem. +Wireless ETW is incredibly verbose and calls out a lot of innocuous errors (rather flagged behaviors that have little or nothing to do with the problem scenario). Simply searching for or filtering on "err", "error", and "fail" will seldom lead you to the root cause of a problematic Wi-Fi scenario. Instead it will flood the screen with meaningless logs that will obfuscate the context of the actual problem. It is important to understand the different Wi-Fi components involved, their expected behaviors, and how the problem scenario deviates from those expected behaviors. -The intention of this troubleshooter is to show how to find a starting point in the verbosity of wireless_dbg ETW and home in on the responsible component(s) causing the connection problem. +The intention of this troubleshooter is to show how to find a starting point in the verbosity of wireless_dbg ETW and home in on the responsible components that are causing the connection problem. ### Known Issues and fixes ** ** @@ -41,6 +42,7 @@ The intention of this troubleshooter is to show how to find a starting point in | **Windows 10, version 1703** | [KB4338827](https://support.microsoft.com/help/4338827) | Make sure that you install the latest Windows updates, cumulative updates, and rollup updates. To verify the update status, refer to the appropriate update-history webpage for your system: +- [Windows 10 version 1809](https://support.microsoft.com/help/4464619) - [Windows 10 version 1803](https://support.microsoft.com/help/4099479) - [Windows 10 version 1709](https://support.microsoft.com/en-us/help/4043454) - [Windows 10 version 1703](https://support.microsoft.com/help/4018124) @@ -50,35 +52,47 @@ Make sure that you install the latest Windows updates, cumulative updates, and r - [Windows Server 2012](https://support.microsoft.com/help/4009471) - [Windows 7 SP1 and Windows Server 2008 R2 SP1](https://support.microsoft.com/help/40009469) -### Data Collection -1. Network Capture with ETW. Use the following command: +## Data Collection - **netsh trace start wireless\_dbg capture=yes overwrite=yes maxsize=4096 tracefile=c:\tmp\wireless.etl** +1. Network Capture with ETW. Enter the following at an elevated command prompt: -2. Reproduce the issue if: - - There is a failure to establish connection, try to manually connect - - It is intermittent but easily reproducible, try to manually connect until it fails. Include timestamps of each connection attempt (successes and failures) - - Tue issue is intermittent but rare, netsh trace stop command needs to be triggered automatically (or at least alerted to admin quickly) to ensure trace doesn’t overwrite the repro data. - - Intermittent connection drops trigger stop command on a script (ping or test network constantly until fail, then netsh trace stop). + ``` + netsh trace start wireless_dbg capture=yes overwrite=yes maxsize=4096 tracefile=c:\tmp\wireless.etl + ``` +2. Reproduce the issue. + - If there is a failure to establish connection, try to manually connect. + - If it is intermittent but easily reproducible, try to manually connect until it fails. Record the time of each connection attempt, and whether it was a success or failure. + - If the issue is intermittent but rare, netsh trace stop command needs to be triggered automatically (or at least alerted to admin quickly) to ensure trace doesn’t overwrite the repro data. + - If intermittent connection drops trigger stop command on a script (ping or test network constantly until fail, then netsh trace stop). +3. Stop the trace by entering the following command: + + ``` + netsh trace stop + ``` +4. To convert the output file to text format: + + ``` + netsh trace convert c:\tmp\wireless.etl + ``` + +See the [example ETW capture](#example-etw-capture) at the bottom of this article for an example of the command output. After running these commands, you will have three files: wireless.cab, wireless.etl, and wireless.txt. + +## Troubleshooting -3. Run this command to stop the trace: **netsh trace stop** -4. To convert the output file to text format: **netsh trace convert c:\tmp\wireless.etl** - -### Troubleshooting The following is a high-level view of the main wifi components in Windows. - -![Wi-Fi stack components](images/wifistackcomponents.png) -The Windows Connection Manager (Wcmsvc) is closely associated with the UI controls (see taskbar icon) to connect to various networks including wireless. It accepts and processes input from the user and feeds it to the core wireless service (Wlansvc). The Wireless Autoconfig Service (Wlansvc) handles the core functions of wireless networks in windows: + + + + + + +
The Windows Connection Manager (Wcmsvc) is closely associated with the UI controls (taskbar icon) to connect to various networks, including wireless networks. It accepts and processes input from the user and feeds it to the core wireless service.
The WLAN Autoconfig Service (WlanSvc) handles the following core functions of wireless networks in windows: - Scanning for wireless networks in range -- Managing connectivity of wireless networks +- Managing connectivity of wireless networks
The Media Specific Module (MSM) handles security aspects of connection being established.
The Native Wifi stack consists of drivers and wireless APIs to interact with wireless miniports and the supporting user-mode Wlansvc.
Third-party wireless miniport drivers interface with the upper wireless stack to provide notifications to and receive commands from Windows.
-The Media Specific Module (MSM) handles security aspects of connection being established. -The Native Wifi stack consists of drivers and wireless APIs to interact with wireless miniports and the supporting user-mode Wlansvc. - -Third-party wireless miniport drivers interface with the upper wireless stack to provide notifications to and receive commands from Windows. The wifi connection state machine has the following states: - Reset - Ihv_Configuring @@ -99,86 +113,105 @@ Reset --> Ihv_Configuring --> Configuring --> Associating --> Authenticating --> Connected --> Roaming --> Wait_For_Disconnected --> Disconnected --> Reset -- Filtering the ETW trace with the provided [TextAnalyisTool (TAT)](Missing wifi.tat file) filter is an easy first step to determine where a failed connection setup is breaking down: -Use the **FSM transition** trace filter to see the connection state machine. -Example of a good connection setup: +>Filtering the ETW trace with the [TextAnalysisTool](https://github.com/TextAnalysisTool/Releases) (TAT) is an easy first step to determine where a failed connection setup is breaking down. A useful [wifi filter file](#wifi-filter-file) is included at the bottom of this article. -``` +Use the **FSM transition** trace filter to see the connection state machine. You can see [an example](#textanalysistool-example) of this filter applied in the TAT at the bottom of this page. + +The following is an example of a good connection setup: + +
 44676 [2]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.658 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Disconnected to State: Reset
-45473 [1]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.667 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Reset to State: Ihv\_Configuring
-45597 [3]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.708 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Ihv\_Configuring to State: Configuring
+45473 [1]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.667 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Reset to State: Ihv_Configuring
+45597 [3]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.708 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Ihv_Configuring to State: Configuring
 46085 [2]0F24.17E0::‎2018‎-‎09‎-‎17 10:22:14.710 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Configuring to State: Associating
 47393 [1]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.879 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Associating to State: Authenticating
 49465 [2]0F24.17E0::‎2018‎-‎09‎-‎17 10:22:14.990 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Authenticating to State: Connected
-```
-Example of a failed connection setup:
-```
+
+ +The following is an example of a failed connection setup: + +
 44676 [2]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.658 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Disconnected to State: Reset
-45473 [1]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.667 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Reset to State: Ihv\_Configuring
-45597 [3]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.708 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Ihv\_Configuring to State: Configuring
+45473 [1]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.667 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Reset to State: Ihv_Configuring
+45597 [3]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.708 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Ihv_Configuring to State: Configuring
 46085 [2]0F24.17E0::‎2018‎-‎09‎-‎17 10:22:14.710 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Configuring to State: Associating
 47393 [1]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.879 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Associating to State: Authenticating
 49465 [2]0F24.17E0::‎2018‎-‎09‎-‎17 10:22:14.990 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Authenticating to State: Roaming
-```
-By identifying the state at which the connection fails, one can focus more specifically in the trace on logs just prior to the last known good state. Examining **[Microsoft-Windows-WLAN-AutoConfig]** logs just prior to the bad state change should show evidence of error. Often, however, the error is propagated up through other wireless components.
+
+ +By identifying the state at which the connection fails, one can focus more specifically in the trace on logs just prior to the last known good state. + +Examining **[Microsoft-Windows-WLAN-AutoConfig]** logs just prior to the bad state change should show evidence of error. Often, however, the error is propagated up through other wireless components. In many cases the next component of interest will be the MSM, which lies just below Wlansvc. - -![MSM details](images/msmdetails.png) The important components of the MSM include: - Security Manager (SecMgr) - handles all pre and post-connection security operations. - Authentication Engine (AuthMgr) – Manages 802.1x auth requests + + ![MSM details](images/msmdetails.png) + Each of these components has their own individual state machines which follow specific transitions. Enable the **FSM transition, SecMgr Transition,** and **AuthMgr Transition** filters in TextAnalysisTool for more detail. + Continuing with the example above, the combined filters look like this: -``` +
 [2] 0C34.2FF0::08/28/17-13:24:28.693 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: 
 Reset to State: Ihv_Configuring
 [2] 0C34.2FF0::08/28/17-13:24:28.693 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: 
 Ihv_Configuring to State: Configuring
 [1] 0C34.2FE8::08/28/17-13:24:28.711 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: 
 Configuring to State: Associating
-[0] 0C34.275C::08/28/17-13:24:28.902 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition INACTIVE (1) --> ACTIVE (2)
-[0] 0C34.275C::08/28/17-13:24:28.902 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition ACTIVE (2) --> START AUTH (3)
+[0] 0C34.275C::08/28/17-13:24:28.902 [Microsoft-Windows-WLAN-AutoConfig]Port[13] Peer 8A:15:14:B6:25:10 SecMgr Transition INACTIVE (1) --> ACTIVE (2)
+[0] 0C34.275C::08/28/17-13:24:28.902 [Microsoft-Windows-WLAN-AutoConfig]Port[13] Peer 8A:15:14:B6:25:10 SecMgr Transition ACTIVE (2) --> START AUTH (3)
 [4] 0EF8.0708::08/28/17-13:24:28.928 [Microsoft-Windows-WLAN-AutoConfig]Port (14) Peer 0x186472F64FD2 AuthMgr Transition ENABLED  --> START_AUTH  
 [3] 0C34.2FE8::08/28/17-13:24:28.902 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: 
 Associating to State: Authenticating
-[1] 0C34.275C::08/28/17-13:24:28.960 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition START AUTH (3) --> WAIT FOR AUTH SUCCESS (4)
+[1] 0C34.275C::08/28/17-13:24:28.960 [Microsoft-Windows-WLAN-AutoConfig]Port[13] Peer 8A:15:14:B6:25:10 SecMgr Transition START AUTH (3) --> WAIT FOR AUTH SUCCESS (4)
 [4] 0EF8.0708::08/28/17-13:24:28.962 [Microsoft-Windows-WLAN-AutoConfig]Port (14) Peer 0x186472F64FD2 AuthMgr Transition START_AUTH  --> AUTHENTICATING  
-[2] 0C34.2FF0::08/28/17-13:24:29.751 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition WAIT FOR AUTH SUCCESS (7) --> DEACTIVATE (11)
-[2] 0C34.2FF0::08/28/17-13:24:29.7512788 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition DEACTIVATE (11) --> INACTIVE (1)
+[2] 0C34.2FF0::08/28/17-13:24:29.751 [Microsoft-Windows-WLAN-AutoConfig]Port[13] Peer 8A:15:14:B6:25:10 SecMgr Transition WAIT FOR AUTH SUCCESS (7) --> DEACTIVATE (11)
+[2] 0C34.2FF0::08/28/17-13:24:29.7512788 [Microsoft-Windows-WLAN-AutoConfig]Port[13] Peer 8A:15:14:B6:25:10 SecMgr Transition DEACTIVATE (11) --> INACTIVE (1)
 [2] 0C34.2FF0::08/28/17-13:24:29.7513404 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: 
 Authenticating to State: Roaming
-```
+
+ > [!NOTE] -> In this line the SecMgr transition is suddenly deactivating. This transition is what eventually propagates to the main connection state machine and causes the Authenticating phase to devolve to Roaming state. As before, it makes sense to focus on tracing just prior to this SecMgr behavior to determine the reason for the deactivation. +> In the next to last line the SecMgr transition is suddenly deactivating:
+>\[2\] 0C34.2FF0::08/28/17-13:24:29.7512788 \[Microsoft-Windows-WLAN-AutoConfig\]Port\[13\] Peer 8A:15:14:B6:25:10 SecMgr Transition DEACTIVATE (11) --> INACTIVE (1)

+>This transition is what eventually propagates to the main connection state machine and causes the Authenticating phase to devolve to Roaming state. As before, it makes sense to focus on tracing just prior to this SecMgr behavior to determine the reason for the deactivation. -- Enabling the **Microsoft-Windows-WLAN-AutoConfig** filter will show more detail leading to the DEACTIVATE transition: +Enabling the **Microsoft-Windows-WLAN-AutoConfig** filter will show more detail leading to the DEACTIVATE transition: -``` +
 [3] 0C34.2FE8::08/28/17-13:24:28.902 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: 
 Associating to State: Authenticating
-[1] 0C34.275C::08/28/17-13:24:28.960 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition START AUTH (3) --> WAIT FOR AUTH SUCCESS (4)
+[1] 0C34.275C::08/28/17-13:24:28.960 [Microsoft-Windows-WLAN-AutoConfig]Port[13] Peer 8A:15:14:B6:25:10 SecMgr Transition START AUTH (3) --> WAIT FOR AUTH SUCCESS (4)
 [4] 0EF8.0708::08/28/17-13:24:28.962 [Microsoft-Windows-WLAN-AutoConfig]Port (14) Peer 0x186472F64FD2 AuthMgr Transition START_AUTH  --> AUTHENTICATING  
 [0]0EF8.2EF4::‎08/28/17-13:24:29.549 [Microsoft-Windows-WLAN-AutoConfig]Received Security Packet: PHY_STATE_CHANGE  
 [0]0EF8.2EF4::08/28/17-13:24:29.549 [Microsoft-Windows-WLAN-AutoConfig]Change radio state for interface = Intel(R) Centrino(R) Ultimate-N 6300 AGN :  PHY = 3, software state = on , hardware state = off ) 
 [0] 0EF8.1174::‎08/28/17-13:24:29.705 [Microsoft-Windows-WLAN-AutoConfig]Received Security Packet: PORT_DOWN  
 [0] 0EF8.1174::‎08/28/17-13:24:29.705 [Microsoft-Windows-WLAN-AutoConfig]FSM Current state Authenticating , event Upcall_Port_Down  
 [0] 0EF8.1174:: 08/28/17-13:24:29.705 [Microsoft-Windows-WLAN-AutoConfig]Received IHV PORT DOWN, peer 0x186472F64FD2 
-[2] 0C34.2FF0::08/28/17-13:24:29.751 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition WAIT FOR AUTH SUCCESS (7) --> DEACTIVATE (11)
- [2] 0C34.2FF0::08/28/17-13:24:29.7512788 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition DEACTIVATE (11) --> INACTIVE (1)
+[2] 0C34.2FF0::08/28/17-13:24:29.751 [Microsoft-Windows-WLAN-AutoConfig]Port[13] Peer 8A:15:14:B6:25:10 SecMgr Transition WAIT FOR AUTH SUCCESS (7) --> DEACTIVATE (11)
+ [2] 0C34.2FF0::08/28/17-13:24:29.7512788 [Microsoft-Windows-WLAN-AutoConfig]Port[13] Peer 8A:15:14:B6:25:10 SecMgr Transition DEACTIVATE (11) --> INACTIVE (1)
 [2] 0C34.2FF0::08/28/17-13:24:29.7513404 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: 
 Authenticating to State: Roaming
-```
-- The trail backwards reveals a Port Down notification. Port events indicate changes closer to the wireless hardware. The trail can be followed by continuing to see the origin of this indication.
-Below, the MSM is the native wifi stack (as seen in Figure 1). These are Windows native wifi drivers which talk to the wifi miniport driver(s). It is responsible for converting Wi-Fi (802.11) packets to 802.3 (Ethernet) so that TCPIP and other protocols and can use it.
+
+ +The trail backwards reveals a **Port Down** notification: + +\[0\] 0EF8.1174:: 08/28/17-13:24:29.705 \[Microsoft-Windows-WLAN-AutoConfig\]Received IHV PORT DOWN, peer 0x186472F64FD2 + +Port events indicate changes closer to the wireless hardware. The trail can be followed by continuing to see the origin of this indication. + +Below, the MSM is the native wifi stack. These are Windows native wifi drivers which talk to the wifi miniport drivers. It is responsible for converting Wi-Fi (802.11) packets to 802.3 (Ethernet) so that TCPIP and other protocols and can use it. + Enable trace filter for **[Microsoft-Windows-NWifi]:** -``` +
 [3] 0C34.2FE8::08/28/17-13:24:28.902 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: 
 Associating to State: Authenticating
-[1] 0C34.275C::08/28/17-13:24:28.960 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition START AUTH (3) --> WAIT FOR AUTH SUCCESS (4)
+[1] 0C34.275C::08/28/17-13:24:28.960 [Microsoft-Windows-WLAN-AutoConfig]Port[13] Peer 8A:15:14:B6:25:10 SecMgr Transition START AUTH (3) --> WAIT FOR AUTH SUCCESS (4)
 [4] 0EF8.0708::08/28/17-13:24:28.962 [Microsoft-Windows-WLAN-AutoConfig]Port (14) Peer 0x8A1514B62510 AuthMgr Transition START_AUTH  --> AUTHENTICATING  
 [0]0000.0000::‎08/28/17-13:24:29.127 [Microsoft-Windows-NWiFi]DisAssoc: 0x8A1514B62510 Reason: 0x4 
 [0]0EF8.2EF4::‎08/28/17-13:24:29.549 [Microsoft-Windows-WLAN-AutoConfig]Received Security Packet: PHY_STATE_CHANGE  
@@ -186,14 +219,108 @@ Associating to State: Authenticating
 [0] 0EF8.1174::‎08/28/17-13:24:29.705 [Microsoft-Windows-WLAN-AutoConfig]Received Security Packet: PORT_DOWN  
 [0] 0EF8.1174::‎08/28/17-13:24:29.705 [Microsoft-Windows-WLAN-AutoConfig]FSM Current state Authenticating , event Upcall_Port_Down  
 [0] 0EF8.1174:: 08/28/17-13:24:29.705 [Microsoft-Windows-WLAN-AutoConfig]Received IHV PORT DOWN, peer 0x186472F64FD2 
-[2] 0C34.2FF0::08/28/17-13:24:29.751 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition WAIT FOR AUTH SUCCESS (7) --> DEACTIVATE (11)
- [2] 0C34.2FF0::08/28/17-13:24:29.7512788 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition DEACTIVATE (11) --> INACTIVE (1)
+[2] 0C34.2FF0::08/28/17-13:24:29.751 [Microsoft-Windows-WLAN-AutoConfig]Port[13] Peer 8A:15:14:B6:25:10 SecMgr Transition WAIT FOR AUTH SUCCESS (7) --> DEACTIVATE (11)
+ [2] 0C34.2FF0::08/28/17-13:24:29.7512788 [Microsoft-Windows-WLAN-AutoConfig]Port[13] Peer 8A:15:14:B6:25:10 SecMgr Transition DEACTIVATE (11) --> INACTIVE (1)
 [2] 0C34.2FF0::08/28/17-13:24:29.7513404 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: 
-Authenticating to State: Roaming
+Authenticating to State: Roaming
+ +In the trace above, we see the line: + +
+[0]0000.0000::‎08/28/17-13:24:29.127 [Microsoft-Windows-NWiFi]DisAssoc: 0x8A1514B62510 Reason: 0x4
+ +This is followed by **PHY_STATE_CHANGE** and **PORT_DOWN** events due to a disassociate coming from the Access Point (AP), as an indication to deny the connection. This could be due to invalid credentials, connection parameters, loss of signal/roaming, and various other reasons for aborting a connection. The action here would be to examine the reason for the disassociate sent from the indicated AP MAC (8A:15:14:B6:25:10). This would be done by examining internal logging/tracing from the AP. + +### Resources + +[802.11 Wireless Tools and Settings](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc755892(v%3dws.10))
+[Understanding 802.1X authentication for wireless networks](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc759077%28v%3dws.10%29)
+ +## Example ETW capture + +
+C:\tmp>netsh trace start wireless_dbg capture=yes overwrite=yes maxsize=4096 tracefile=c:\tmp\wireless.etl
+
+Trace configuration:
+-------------------------------------------------------------------
+Status:             Running
+Trace File:         C:\tmp\wireless.etl
+Append:             Off
+Circular:           On
+Max Size:           4096 MB
+Report:             Off
+
+C:\tmp>netsh trace stop
+Correlating traces ... done
+Merging traces ... done
+Generating data collection ... done
+The trace file and additional troubleshooting information have been compiled as "c:\tmp\wireless.cab".
+File location = c:\tmp\wireless.etl
+Tracing session was successfully stopped.
+
+C:\tmp>netsh trace convert c:\tmp\wireless.etl
+
+Input file:  c:\tmp\wireless.etl
+Dump file:   c:\tmp\wireless.txt
+Dump format: TXT
+Report file: -
+Generating dump ... done
+
+C:\tmp>dir
+ Volume in drive C has no label.
+ Volume Serial Number is 58A8-7DE5
+
+ Directory of C:\tmp
+
+01/09/2019  02:59 PM    [DIR]          .
+01/09/2019  02:59 PM    [DIR]          ..
+01/09/2019  02:59 PM         4,855,952 wireless.cab
+01/09/2019  02:56 PM         2,752,512 wireless.etl
+01/09/2019  02:59 PM         2,786,540 wireless.txt
+               3 File(s)     10,395,004 bytes
+               2 Dir(s)  46,648,332,288 bytes free
+
+ +## Wifi filter file + +Copy and paste all the lines below and save them into a text file named "wifi.tat." Load the filter file into the TextAnalysisTool by clicking **File > Load Filters**. + +``` + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ``` -The port down event is occurring due to a Disassociate coming Access Point as an indication to deny the connection. This could be due to invalid credentials, connection parameters, loss of signal/roaming, and various other reasons for aborting a connection. The action here would be to examine the reason for the disassociate sent from the indicated AP MAC (8A:15:14:B6:25:10). This would be done by examining internal logging/tracing from MAC device. -### **Resources** -### [802.11 Wireless Tools and Settings](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc755892(v%3dws.10)) -### [Understanding 802.1X authentication for wireless networks](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc759077%28v%3dws.10%29) +## TextAnalysisTool example +In the following example, the **View** settings are configured to **Show Only Filtered Lines**. + +![TAT filter example](images/tat.png) \ No newline at end of file diff --git a/windows/client-management/data-collection-for-802-authentication.md b/windows/client-management/data-collection-for-802-authentication.md index 60a255a2b6..82b0d1b33c 100644 --- a/windows/client-management/data-collection-for-802-authentication.md +++ b/windows/client-management/data-collection-for-802-authentication.md @@ -1,78 +1,72 @@ --- -title: Data Collection for Troubleshooting 802.1x Authentication -description: Data needed for reviewing 802.1x Authentication issues -keywords: troubleshooting, data collection, data, 802.1x authentication, authentication, data +title: Data collection for troubleshooting 802.1X authentication +description: Data needed for reviewing 802.1X Authentication issues +keywords: troubleshooting, data collection, data, 802.1X authentication, authentication, data ms.prod: w10 ms.mktglfcycl: ms.sitesec: library author: kaushika-msft ms.localizationpriority: medium ms.author: mikeblodge -ms.date: 10/29/2018 --- -# Data Collection for Troubleshooting 802.1x Authentication - +# Data collection for troubleshooting 802.1X authentication + +Use the following steps to collect data that can be used to troubleshoot 802.1X authentication issues. When you have collected data, see [Advanced troubleshooting 802.1X authentication](advanced-troubleshooting-802-authentication.md). ## Capture wireless/wired functionality logs Use the following steps to collect wireless and wired logs on Windows and Windows Server: 1. Create C:\MSLOG on the client machine to store captured logs. -2. Launch a command prompt as an administrator on the client machine, and run the following commands to start RAS trace log and Wireless/Wired scenario log. +2. Launch an elevated command prompt on the client machine, and run the following commands to start a RAS trace log and a Wireless/Wired scenario log. **Wireless Windows 8.1 and Windows 10:** - ``` netsh ras set tracing * enabled netsh trace start scenario=wlan,wlan_wpp,wlan_dbg,wireless_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%_wireless_cli.etl ``` - - **Wireless Windows 7 and Windows 8:** + +
**Wireless Windows 7 and Windows 8:** ``` netsh ras set tracing * enabled netsh trace start scenario=wlan,wlan_wpp,wlan_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%_wireless_cli.etl ``` - - **Wired client, regardless of version** + +
**Wired client, regardless of version** ``` netsh ras set tracing * enabled netsh trace start scenario=lan globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%_wired_cli.etl ``` 3. Run the following command to enable CAPI2 logging: - ``` wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:true ``` 4. Create C:\MSLOG on the NPS to store captured logs. -5. Launch a command prompt as an administrator on the NPS and run the following commands to start RAS trace log and Wireless/Wired scenario log: +5. Launch an elevated command prompt on the NPS server and run the following commands to start a RAS trace log and a Wireless/Wired scenario log: **Windows Server 2012 R2, Windows Server 2016 wireless network:** - ``` netsh ras set tracing * enabled netsh trace start scenario=wlan,wlan_wpp,wlan_dbg,wireless_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%_wireless_nps.etl ``` - - **Windows Server 2008 R2, Windows Server 2012 wireless network** - + +
**Windows Server 2008 R2, Windows Server 2012 wireless network** ``` netsh ras set tracing * enabled netsh trace start scenario=wlan,wlan_wpp,wlan_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%_wireless_nps.etl ``` - **Wired network** - +
**Wired network** ``` netsh ras set tracing * enabled netsh trace start scenario=lan globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%_wired_nps.etl ``` 6. Run the following command to enable CAPI2 logging: - ``` wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:true ``` @@ -82,16 +76,16 @@ Use the following steps to collect wireless and wired logs on Windows and Window > When the mouse button is clicked, the cursor will blink in red while capturing a screen image. ``` - psr /start /output c:\MSLOG\%computername%_psr.zip /maxsc 100 + psr /start /output c:\MSLOG\%computername%_psr.zip /maxsc 100 ``` 8. Repro the issue. 9. Run the following command on the client PC to stop the PSR capturing: ``` - psr /stop + psr /stop ``` -10. Run the following commands from the command prompt on the NPS. +10. Run the following commands from the command prompt on the NPS server. - To stop RAS trace log and wireless scenario log: @@ -134,14 +128,14 @@ Use the following steps to collect wireless and wired logs on Windows and Window - C:\MSLOG\%COMPUTERNAME%_wireless_nps.cab (%COMPUTERNAME%_wired_nps.cab for wired scenario) - All log files and folders in %Systemroot%\Tracing -## Save environmental and configuration information +## Save environment and configuration information ### On Windows client 1. Create C:\MSLOG to store captured logs. 2. Launch a command prompt as an administrator. 3. Run the following commands. - - Environmental information and Group Policies application status + - Environment information and Group Policy application status ``` gpresult /H C:\MSLOG\%COMPUTERNAME%_gpresult.htm @@ -299,7 +293,7 @@ Use the following steps to collect wireless and wired logs on Windows and Window 4. Save the logs stored in C:\MSLOG. -### Certificate Authority (CA) (OPTIONAL) +## Certification Authority (CA) (OPTIONAL) 1. On a CA, launch a command prompt as an administrator. Create C:\MSLOG to store captured logs. 2. Run the following commands. @@ -378,7 +372,7 @@ Use the following steps to collect wireless and wired logs on Windows and Window ```powershell Import-Module ActiveDirectory - Get-ADObject -SearchBase ";CN=Public Key Services,CN=Services,CN=Configuration,DC=test,DC=local"; -Filter \* -Properties \* | fl \* > C:\MSLOG\Get-ADObject_$Env:COMPUTERNAME.txt + Get-ADObject -SearchBase ";CN=Public Key Services,CN=Services,CN=Configuration,DC=test,DC=local"; -Filter * -Properties * | fl * > C:\MSLOG\Get-ADObject_$Env:COMPUTERNAME.txt ``` 7. Save the following logs. - All files in C:\MSLOG on the CA diff --git a/windows/client-management/docfx.json b/windows/client-management/docfx.json index 4fc5382798..eab3b9f62e 100644 --- a/windows/client-management/docfx.json +++ b/windows/client-management/docfx.json @@ -35,8 +35,6 @@ "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", "ms.technology": "windows", "ms.topic": "article", - "ms.author": "dongill", - "ms.date": "04/05/2017", "feedback_system": "GitHub", "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", diff --git a/windows/client-management/images/capi.png b/windows/client-management/images/capi.png new file mode 100644 index 0000000000..76bbcd0650 Binary files /dev/null and b/windows/client-management/images/capi.png differ diff --git a/windows/client-management/images/etl.png b/windows/client-management/images/etl.png new file mode 100644 index 0000000000..14a62c6450 Binary files /dev/null and b/windows/client-management/images/etl.png differ diff --git a/windows/client-management/images/eventviewer.png b/windows/client-management/images/eventviewer.png index 76bbcd0650..e0aa5d1721 100644 Binary files a/windows/client-management/images/eventviewer.png and b/windows/client-management/images/eventviewer.png differ diff --git a/windows/client-management/images/miniport.png b/windows/client-management/images/miniport.png new file mode 100644 index 0000000000..ba1b2fed2d Binary files /dev/null and b/windows/client-management/images/miniport.png differ diff --git a/windows/client-management/images/msm.png b/windows/client-management/images/msm.png new file mode 100644 index 0000000000..397df3e350 Binary files /dev/null and b/windows/client-management/images/msm.png differ diff --git a/windows/client-management/images/msmdetails.png b/windows/client-management/images/msmdetails.png index ad146b102e..cbcf20e114 100644 Binary files a/windows/client-management/images/msmdetails.png and b/windows/client-management/images/msmdetails.png differ diff --git a/windows/client-management/images/nm-adapters.png b/windows/client-management/images/nm-adapters.png new file mode 100644 index 0000000000..f4e25fdbc8 Binary files /dev/null and b/windows/client-management/images/nm-adapters.png differ diff --git a/windows/client-management/images/nm-start.png b/windows/client-management/images/nm-start.png new file mode 100644 index 0000000000..ec92f013a2 Binary files /dev/null and b/windows/client-management/images/nm-start.png differ diff --git a/windows/client-management/images/tat.png b/windows/client-management/images/tat.png new file mode 100644 index 0000000000..90eb328c38 Binary files /dev/null and b/windows/client-management/images/tat.png differ diff --git a/windows/client-management/images/wcm.png b/windows/client-management/images/wcm.png new file mode 100644 index 0000000000..6c26a3aeb7 Binary files /dev/null and b/windows/client-management/images/wcm.png differ diff --git a/windows/client-management/images/wifi-stack.png b/windows/client-management/images/wifi-stack.png new file mode 100644 index 0000000000..cf94f491c4 Binary files /dev/null and b/windows/client-management/images/wifi-stack.png differ diff --git a/windows/client-management/images/wlan.png b/windows/client-management/images/wlan.png new file mode 100644 index 0000000000..fea20f7272 Binary files /dev/null and b/windows/client-management/images/wlan.png differ diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index 5d145ddd7f..07e2cb8f96 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -6,7 +6,7 @@ ### [Enroll a Windows 10 device automatically using Group Policy](enroll-a-windows-10-device-automatically-using-group-policy.md) ### [Federated authentication device enrollment](federated-authentication-device-enrollment.md) ### [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md) -### [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md) +### [On-premises authentication device enrollment](on-premise-authentication-device-enrollment.md) ## [Understanding ADMX-backed policies](understanding-admx-backed-policies.md) ## [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md) ## [Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md) diff --git a/windows/client-management/mdm/on-premise-authentication-device-enrollment.md b/windows/client-management/mdm/on-premise-authentication-device-enrollment.md index 4649e684c3..6431b3c083 100644 --- a/windows/client-management/mdm/on-premise-authentication-device-enrollment.md +++ b/windows/client-management/mdm/on-premise-authentication-device-enrollment.md @@ -1,6 +1,6 @@ --- -title: On-premise authentication device enrollment -description: This section provides an example of the mobile device enrollment protocol using on-premise authentication policy. +title: On-premises authentication device enrollment +description: This section provides an example of the mobile device enrollment protocol using on-premises authentication policy. ms.assetid: 626AC8B4-7575-4C41-8D59-185D607E3A47 ms.author: maricia ms.topic: article @@ -10,16 +10,17 @@ author: MariciaAlforque ms.date: 06/26/2017 --- -# On-premise authentication device enrollment +# On-premises authentication device enrollment - -This section provides an example of the mobile device enrollment protocol using on-premise authentication policy. For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( http://go.microsoft.com/fwlink/p/?LinkId=619347). +This section provides an example of the mobile device enrollment protocol using on-premises authentication policy. For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( http://go.microsoft.com/fwlink/p/?LinkId=619347). ## In this topic -- [Discovery service](#discovery-service) -- [Enrollment policy web service](#enrollment-policy-web-service) -- [Enrollment web service](#enrollment-web-service) +- [On-premises authentication device enrollment](#on-premises-authentication-device-enrollment) + - [In this topic](#in-this-topic) + - [Discovery service](#discovery-service) + - [Enrollment policy web service](#enrollment-policy-web-service) + - [Enrollment web service](#enrollment-web-service) For the list of enrollment scenarios not supported in Windows 10, see [Enrollment scenarios not supported](mobile-device-enrollment.md#enrollment-scenarios-not-supported). @@ -27,9 +28,9 @@ For the list of enrollment scenarios not supported in Windows 10, see [Enrollme The discovery web service provides the configuration information necessary for a user to enroll a device with a management service. The service is a restful web service over HTTPS (server authentication only). -> **Note**  The administrator of the discovery service must create a host with the address enterpriseenrollment.*domain\_name*.com. +>[!NOTE] +>The administrator of the discovery service must create a host with the address enterpriseenrollment.*domain\_name*.com. -  The device’s automatic discovery flow uses the domain name of the email address that was submitted to the Workplace settings screen during sign in. The automatic discovery system constructs a URI that uses this hostname by appending the subdomain “enterpriseenrollment” to the domain of the email address, and by appending the path “/EnrollmentServer/Discovery.svc”. For example, if the email address is “sample@contoso.com”, the resulting URI for first Get request would be: http://enterpriseenrollment.contoso.com/EnrollmentServer/Discovery.svc The first request is a standard HTTP GET request. @@ -126,9 +127,9 @@ The discovery response is in the XML format and includes the following fields: - Authentication policy (AuthPolicy) – Indicates what type of authentication is required. For the MDM server, OnPremise is the supported value, which means that the user will be authenticated when calling the management service URL. This field is mandatory. - Federated is added as another supported value. This allows the server to leverage the Web Authentication Broker to perform customized user authentication, and term of usage acceptance. -> **Note**  The HTTP server response must not be chunked; it must be sent as one message. +>[!NOTE] +>The HTTP server response must not be chunked; it must be sent as one message. -  The following example shows a response received from the discovery web service for OnPremise authentication: ``` syntax @@ -211,9 +212,9 @@ After the user is authenticated, the web service retrieves the certificate templ MS-XCEP supports very flexible enrollment policies using various Complex Types and Attributes. We will first support the minimalKeyLength, the hashAlgorithmOIDReference policies, and the CryptoProviders. The hashAlgorithmOIDReference has related OID and OIDReferenceID and policySchema in the GetPolicesResponse. The policySchema refers to the certificate template version. Version 3 of MS-XCEP supports hashing algorithms. -> **Note**  The HTTP server response must not be chunked; it must be sent as one message. +>[!NOTE] +>The HTTP server response must not be chunked; it must be sent as one message. -  The following snippet shows the policy web service response. ``` syntax @@ -303,9 +304,9 @@ The RequestSecurityToken will use a custom TokenType (http://schema The RST may also specify a number of AdditionalContext items, such as DeviceType and Version. Based on these values, for example, the web service can return device-specific and version-specific DM configuration. -> **Note**  The policy service and the enrollment service must be on the same server; that is, they must have the same host name. +>[!NOTE] +>The policy service and the enrollment service must be on the same server; that is, they must have the same host name. -  The following example shows the enrollment web service request for OnPremise authentication. ``` syntax @@ -514,12 +515,4 @@ The following example shows the encoded provisioning XML. -``` - -  - - - - - - +``` \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md index 1c06c38801..c936dbc5db 100644 --- a/windows/client-management/mdm/policy-csp-applicationmanagement.md +++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md @@ -1046,7 +1046,8 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md index 7578533727..5d622c650d 100644 --- a/windows/client-management/mdm/policy-csp-authentication.md +++ b/windows/client-management/mdm/policy-csp-authentication.md @@ -497,6 +497,7 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-bits.md b/windows/client-management/mdm/policy-csp-bits.md index c9fdf5ff82..dfad46a493 100644 --- a/windows/client-management/mdm/policy-csp-bits.md +++ b/windows/client-management/mdm/policy-csp-bits.md @@ -498,7 +498,8 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md index 47f25fad53..23c0950c12 100644 --- a/windows/client-management/mdm/policy-csp-defender.md +++ b/windows/client-management/mdm/policy-csp-defender.md @@ -2760,7 +2760,8 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md index 7c7ed13b63..95e6d74539 100644 --- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md +++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md @@ -1566,7 +1566,8 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-deviceguard.md b/windows/client-management/mdm/policy-csp-deviceguard.md index fe2a79ede1..248f11d3fd 100644 --- a/windows/client-management/mdm/policy-csp-deviceguard.md +++ b/windows/client-management/mdm/policy-csp-deviceguard.md @@ -289,7 +289,8 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md index 702252a71e..97176bf5d7 100644 --- a/windows/client-management/mdm/policy-csp-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md @@ -6,7 +6,6 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 12/01/2018 --- # Policy CSP - DeviceInstallation @@ -86,11 +85,8 @@ If you enable this policy setting, Windows is allowed to install or update any d If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed. -For more information about hardware IDs and compatible IDs, see [Device Identification Strings](https://docs.microsoft.com/windows-hardware/drivers/install/device-identification-strings). +Peripherals can be specified by their [hardware identity](https://docs.microsoft.com/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. -To get the hardware ID for a device, open Device Manager, right-click the name of the device and click **Properties**. On the **Details** tab, select **Hardware Ids** from the **Property** menu: - -![Hardware IDs](images/hardware-ids.png) > [!TIP] @@ -142,7 +138,7 @@ To enable this policy, use the following SyncML. This example allows Windows to ``` -To verify the policies are applied properly, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log: +To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log: ```txt >>> [Device Installation Restrictions Policy Check] @@ -200,11 +196,8 @@ This setting allows device installation based on the serial number of a removabl If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed. -For a list of Class and ClassGUID entries for device setup classes, see [System-Defined Device Setup Classes Available to Vendors](https://docs.microsoft.com/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors). +Peripherals can be specified by their [hardware identity](https://docs.microsoft.com/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. -To get the ClassGUID for a device, open Device Manager, right-click the name of the device and click **Properties**. On the **Details** tab, select **Class GUID** from the **Property** menu: - -![Class GUIDs](images/class-guids.png) > [!TIP] @@ -262,7 +255,7 @@ Enclose the class GUID within curly brackets {}. To configure multiple classes, ``` -To verify the policies are applied properly, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log: +To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log: ```txt @@ -345,6 +338,8 @@ ADMX Info: + +
@@ -417,6 +412,37 @@ ADMX Info: +To enable this policy, use the following SyncML. This example prevents Windows from installing devices that are not specifically described by any other policy setting. + + +``` syntax + + + + $CmdID$ + + + ./Device/Vendor/MSFT/Policy/Config/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings + + + string + + + + + + +``` + +To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log: + +```txt +>>> [Device Installation Restrictions Policy Check] +>>> Section start 2018/11/15 12:26:41.659 +<<< Section end 2018/11/15 12:26:41.751 +<<< [Exit status: SUCCESS] +``` +
@@ -461,15 +487,7 @@ If you enable this policy setting, Windows is prevented from installing a device If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings. -For more information about hardware IDs and compatible IDs, see [Device Identification Strings](https://docs.microsoft.com/windows-hardware/drivers/install/device-identification-strings). - -You can get the hardware ID in Device Manager. For example, USB drives are listed under Disk drives: - -![Disk drives](images/device-manager-disk-drives.png) - -Right-click the name of the device, click **Properties** > **Details** and select **Hardware Ids** as the **Property**: - -![Hardware IDs](images/disk-drive-hardware-id.png) +Peripherals can be specified by their [hardware identity](https://docs.microsoft.com/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it blocks the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. > [!TIP] @@ -513,7 +531,7 @@ To enable this policy, use the following SyncML. This example prevents Windows f ``` -To verify the policies are applied properly, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log: +To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log: ```txt >>> [Device Installation Restrictions Policy Check] @@ -564,12 +582,7 @@ If you enable this policy setting, Windows is prevented from installing or updat If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings. -For a list of Class and ClassGUID entries for device setup classes, see [System-Defined Device Setup Classes Available to Vendors](https://docs.microsoft.com/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors). - -To get the ClassGUID for a device, open Device Manager, right-click the name of the device and click **Properties**. On the **Details** tab, select **Class GUID** from the **Property** menu: - -![Class GUIDs](images/class-guids.png) - +Peripherals can be specified by their [hardware identity](https://docs.microsoft.com/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it blocks the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. > [!TIP] @@ -618,7 +631,7 @@ Enclose the class GUID within curly brackets {}. To configure multiple classes, ``` -To verify the policies are applied properly, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log: +To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log: ```txt >>> [Device Installation Restrictions Policy Check] @@ -634,6 +647,7 @@ Footnote: - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. - 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-dmaguard.md b/windows/client-management/mdm/policy-csp-dmaguard.md index 2960d7874f..9c1747dae9 100644 --- a/windows/client-management/mdm/policy-csp-dmaguard.md +++ b/windows/client-management/mdm/policy-csp-dmaguard.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 06/29/2018 +ms.date: 12/17/2018 --- # Policy CSP - DmaGuard @@ -65,7 +65,11 @@ ms.date: 06/29/2018 -This policy is intended to provide additional security against external DMA capable devices. It allows for more control over the enumeration of external DMA capable devices incompatible with DMA Remapping/device memory isolation and sandboxing. This policy only takes effect when Kernel DMA Protection is supported and enabled by the system firmware. Kernel DMA Protection is a platform feature that cannot be controlled via policy or by end user. It has to be supported by the system at the time of manufacturing. To check if the system supports Kernel DMA Protection, please check the Kernel DMA Protection field in the Summary page of MSINFO32.exe. +This policy is intended to provide additional security against external DMA capable devices. It allows for more control over the enumeration of external DMA capable devices incompatible with DMA Remapping/device memory isolation and sandboxing. + +Device memory sandboxing allows the OS to leverage the I/O Memory Management Unit (IOMMU) of a device to block unallowed I/O, or memory access, by the peripheral. In other words, the OS assigns a certain memory range to the peripheral. If the peripheral attempts to read/write to memory outside of the assigned range, the OS blocks it. + +This policy only takes effect when Kernel DMA Protection is supported and enabled by the system firmware. Kernel DMA Protection is a platform feature that cannot be controlled via policy or by end user. It has to be supported by the system at the time of manufacturing. To check if the system supports Kernel DMA Protection, please check the Kernel DMA Protection field in the Summary page of MSINFO32.exe. > [!Note] > This policy does not apply to 1394/Firewire, PCMCIA, CardBus, or ExpressCard devices. @@ -105,7 +109,8 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md index abd44c2998..c267e4587c 100644 --- a/windows/client-management/mdm/policy-csp-experience.md +++ b/windows/client-management/mdm/policy-csp-experience.md @@ -1577,7 +1577,8 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md index 3cac24872a..823af29f0b 100644 --- a/windows/client-management/mdm/policy-csp-internetexplorer.md +++ b/windows/client-management/mdm/policy-csp-internetexplorer.md @@ -2132,7 +2132,7 @@ If you disable or do not configure this policy, users may choose their own site- > [!Note] > This policy is a list that contains the site and index value. -The list is a set of pairs of strings. Each string is seperated by F000. Each pair of string are stored as a registry name and value. The registry name is the site and the value is an index. The index has to be sequential. See an example below. +The list is a set of pairs of strings. Each string is seperated by F000. Each pair of strings is stored as a registry name and value. The registry name is the site and the value is an index. The index has to be sequential. See an example below. > [!TIP] diff --git a/windows/client-management/mdm/policy-csp-kerberos.md b/windows/client-management/mdm/policy-csp-kerberos.md index 8ff97003f8..276d6b2c9e 100644 --- a/windows/client-management/mdm/policy-csp-kerberos.md +++ b/windows/client-management/mdm/policy-csp-kerberos.md @@ -420,7 +420,8 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index c536cc66a5..b1594d5d38 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -3588,7 +3588,8 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md index 652e5979f3..bccb2e581b 100644 --- a/windows/client-management/mdm/policy-csp-privacy.md +++ b/windows/client-management/mdm/policy-csp-privacy.md @@ -4859,7 +4859,8 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-security.md b/windows/client-management/mdm/policy-csp-security.md index fb505e937f..15119bff73 100644 --- a/windows/client-management/mdm/policy-csp-security.md +++ b/windows/client-management/mdm/policy-csp-security.md @@ -747,7 +747,8 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md index e889b3c61a..bbbecfc8b2 100644 --- a/windows/client-management/mdm/policy-csp-start.md +++ b/windows/client-management/mdm/policy-csp-start.md @@ -1846,7 +1846,8 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md index 7858f38c0e..1701229b65 100644 --- a/windows/client-management/mdm/policy-csp-storage.md +++ b/windows/client-management/mdm/policy-csp-storage.md @@ -229,7 +229,8 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 8e9dd3ce58..25a2c66a62 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -1437,7 +1437,8 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-taskmanager.md b/windows/client-management/mdm/policy-csp-taskmanager.md index 7001fe088f..e806cf4108 100644 --- a/windows/client-management/mdm/policy-csp-taskmanager.md +++ b/windows/client-management/mdm/policy-csp-taskmanager.md @@ -93,7 +93,8 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-textinput.md b/windows/client-management/mdm/policy-csp-textinput.md index e96eb5340c..a6403f3b61 100644 --- a/windows/client-management/mdm/policy-csp-textinput.md +++ b/windows/client-management/mdm/policy-csp-textinput.md @@ -1334,7 +1334,8 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 17ee63877e..d1447a5e6c 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -3576,6 +3576,7 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md index 25ff1652b7..d8a9e0a74b 100644 --- a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md +++ b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md @@ -1430,7 +1430,8 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md index 07a7954820..e75a0cf6de 100644 --- a/windows/client-management/mdm/policy-csp-windowslogon.md +++ b/windows/client-management/mdm/policy-csp-windowslogon.md @@ -286,7 +286,7 @@ ADMX Info: -Added in Windows 10, version 1703. This policy setting allows you to hide the Switch account button on the sign-in screen, Start, and the Task Manager. If you enable this policy setting, the Switch account button is hidden from the user who is attempting to sign-in or is signed in to the computer that has this policy applied. If you disable or do not configure this policy setting, the Switch account button is accessible to the user in the three locations. +Added in Windows 10, version 1703. This policy setting allows you to hide the Switch account button on the sign-in screen, Start, and the Task Manager. If you enable this policy setting, the Switch account button is hidden from the user who is attempting to sign-in or is signed in to the computer that has this policy applied. If you disable or do not configure this policy setting, the Switch account button is accessible to the user in the three locations. diff --git a/windows/client-management/troubleshoot-networking.md b/windows/client-management/troubleshoot-networking.md index 6865732607..184a70c8f0 100644 --- a/windows/client-management/troubleshoot-networking.md +++ b/windows/client-management/troubleshoot-networking.md @@ -1,20 +1,34 @@ --- -title: Advanced troubleshooting for Windows networking issues -description: Learn how to troubleshoot networking issues. +title: Advanced troubleshooting for Windows networking +description: Learn how to troubleshoot networking ms.prod: w10 ms.sitesec: library ms.topic: troubleshooting author: kaushika-msft ms.localizationpriority: medium ms.author: kaushika -ms.date: --- -# Advanced troubleshooting for Windows networking issues +# Advanced troubleshooting for Windows networking -In these topics, you will learn how to troubleshoot common problems related to Windows networking. +The following topics are available to help you troubleshoot common problems related to Windows networking. -- [Advanced troubleshooting Wireless Network](advanced-troubleshooting-wireless-network-connectivity.md) -- [Data collection for troubleshooting 802.1x authentication](data-collection-for-802-authentication.md) -- [Advanced troubleshooting 802.1x authentication](advanced-troubleshooting-802-authentication.md) -- [Advanced troubleshooting for TCP/IP issues](troubleshoot-tcpip.md) +- [Advanced troubleshooting for wireless network connectivity](advanced-troubleshooting-wireless-network-connectivity.md) +- [Advanced troubleshooting 802.1X authentication](advanced-troubleshooting-802-authentication.md) + - [Data collection for troubleshooting 802.1X authentication](data-collection-for-802-authentication.md) +- [Advanced troubleshooting for TCP/IP](troubleshoot-tcpip.md) + - [Collect data using Network Monitor](troubleshoot-tcpip-netmon.md) + - [Troubleshoot TCP/IP connectivity](troubleshoot-tcpip-connectivity.md) + - [Troubleshoot port exhaustion issues](troubleshoot-tcpip-port-exhaust.md) + - [Troubleshoot Remote Procedure Call (RPC) errors](troubleshoot-tcpip-rpc-errors.md) + +## Concepts and technical references + +[802.1X authenticated wired access overview](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831831(v=ws.11))
+[802.1X authenticated wireless access overview](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh994700(v%3dws.11))
+[Wireless cccess deployment overview](https://docs.microsoft.com/windows-server/networking/core-network-guide/cncg/wireless/b-wireless-access-deploy-overview)
+[TCP/IP technical reference](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd379473(v=ws.10))
+[Network Monitor](https://docs.microsoft.com/windows/desktop/netmon2/network-monitor)
+[RPC and the network](https://docs.microsoft.com/windows/desktop/rpc/rpc-and-the-network)
+[How RPC works](https://docs.microsoft.com/windows/desktop/rpc/how-rpc-works)
+[NPS reason codes](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197570(v=ws.10))
\ No newline at end of file diff --git a/windows/client-management/troubleshoot-stop-errors.md b/windows/client-management/troubleshoot-stop-errors.md index 1ec7b52b6a..1ab9a027c6 100644 --- a/windows/client-management/troubleshoot-stop-errors.md +++ b/windows/client-management/troubleshoot-stop-errors.md @@ -8,7 +8,7 @@ ms.topic: troubleshooting author: kaushika-msft ms.localizationpriority: medium ms.author: kaushika -ms.date: 11/30/2018 +ms.date: 12/19/2018 --- # Advanced troubleshooting for Stop error or blue screen error issue @@ -101,8 +101,7 @@ The memory dump file is saved at the following locations. You can use the Microsoft DumpChk (Crash Dump File Checker) tool to verify that the memory dump files are not corrupted or invalid. For more information, see the following video: ->[!video https://www.youtube.com/watch?v=xN7tOfgNKag&feature=youtu.be] - +>[!video https://www.youtube.com/embed/xN7tOfgNKag] More information on how to use Dumpchk.exe to check your dump files: diff --git a/windows/client-management/troubleshoot-tcpip-netmon.md b/windows/client-management/troubleshoot-tcpip-netmon.md index a82076e8d9..5863c1b847 100644 --- a/windows/client-management/troubleshoot-tcpip-netmon.md +++ b/windows/client-management/troubleshoot-tcpip-netmon.md @@ -16,29 +16,27 @@ In this topic, you will learn how to use Microsoft Network Monitor 3.4, which is To get started, [download and run NM34_x64.exe](https://www.microsoft.com/download/details.aspx?id=4865). When you install Network Monitor, it installs its driver and hooks it to all the network adapters installed on the device. You can see the same on the adapter properties, as shown in the following image. -![A view of the properties for the adapter](images/tcp-ts-1.png) +![Adapters](images/nm-adapters.png) When the driver gets hooked to the network interface card (NIC) during installation, the NIC is reinitialized, which might cause a brief network glitch. **To capture traffic** -1. Click **Start** and enter **Netmon**. +1. Run netmon in an elevated status by choosing Run as Administrator. -2. For **netmon run command**,select **Run as administrator**. + ![Image of Start search results for Netmon](images/nm-start.png) - ![Image of Start search results for Netmon](images/tcp-ts-3.png) - -3. Network Monitor opens with all network adapters displayed. Select **New Capture**, and then select **Start**. +2. Network Monitor opens with all network adapters displayed. Select the network adapters where you want to capture traffic, click **New Capture**, and then click **Start**. ![Image of the New Capture option on menu](images/tcp-ts-4.png) -4. Reproduce the issue, and you will see that Network Monitor grabs the packets on the wire. +3. Reproduce the issue, and you will see that Network Monitor grabs the packets on the wire. ![Frame summary of network packets](images/tcp-ts-5.png) -5. Select **Stop**, and go to **File > Save as** to save the results. By default, the file will be saved as a ".cap" file. +4. Select **Stop**, and go to **File > Save as** to save the results. By default, the file will be saved as a ".cap" file. -The saved file has captured all the traffic that is flowing to and from the network adapters of this machine. However, your interest is only to look into the traffic/packets that are related to the specific connectivity problem you are facing. So you will need to filter the network capture to see only the related traffic. +The saved file has captured all the traffic that is flowing to and from the selected network adapters on the local computer. However, your interest is only to look into the traffic/packets that are related to the specific connectivity problem you are facing. So you will need to filter the network capture to see only the related traffic. **Commonly used filters** @@ -56,5 +54,11 @@ The saved file has captured all the traffic that is flowing to and from the netw Network traces which are collected using the **netsh** commands built in to Windows are of the extension "ETL". However, these ETL files can be opened using Network Monitor for further analysis. +## More information - +[Intro to Filtering with Network Monitor 3.0](https://blogs.technet.microsoft.com/netmon/2006/10/17/intro-to-filtering-with-network-monitor-3-0/)
+[Network Monitor Filter Examples](https://blogs.technet.microsoft.com/rmilne/2016/08/11/network-monitor-filter-examples/)
+[Network Monitor Wireless Filtering](https://social.technet.microsoft.com/wiki/contents/articles/1900.network-monitor-wireless-filtering.aspx)
+[Network Monitor TCP Filtering](https://social.technet.microsoft.com/wiki/contents/articles/1134.network-monitor-tcp-filtering.aspx)
+[Network Monitor Conversation Filtering](https://social.technet.microsoft.com/wiki/contents/articles/1829.network-monitor-conversation-filtering.aspx)
+[How to setup and collect network capture using Network Monitor tool](https://blogs.technet.microsoft.com/msindiasupp/2011/08/10/how-to-setup-and-collect-network-capture-using-network-monitor-tool/)
diff --git a/windows/client-management/windows-10-support-solutions.md b/windows/client-management/windows-10-support-solutions.md index d540b098dd..f6620bd9c5 100644 --- a/windows/client-management/windows-10-support-solutions.md +++ b/windows/client-management/windows-10-support-solutions.md @@ -7,12 +7,34 @@ ms.sitesec: library ms.author: elizapo author: kaushika-msft ms.localizationpriority: medium -ms.date: 11/08/2018 --- -# Top support solutions for Windows 10 + +# Troubleshoot Windows 10 clients + +This section contains advanced troubleshooting topics and links to help you resolve issues with Windows 10 clients. Additional topics will be added as they become available. + +## Troubleshooting support topics + +- [Advanced troubleshooting for Windows networking](troubleshoot-networking.md)
+ - [Advanced troubleshooting wireless network connectivity](advanced-troubleshooting-wireless-network-connectivity.md)
+ - [Advanced troubleshooting 802.1X authentication](advanced-troubleshooting-802-authentication.md)
+ - [Data collection for troubleshooting 802.1X authentication](data-collection-for-802-authentication.md)
+ - [Advanced troubleshooting for TCP/IP](troubleshoot-tcpip.md)
+ - [Collect data using Network Monitor](troubleshoot-tcpip-netmon.md)
+ - [Troubleshoot TCP/IP connectivity](troubleshoot-tcpip-connectivity.md)
+ - [Troubleshoot port exhaustion](troubleshoot-tcpip-port-exhaust.md)
+ - [Troubleshoot Remote Procedure Call (RPC) errors](troubleshoot-tcpip-rpc-errors.md)
+- [Advanced troubleshooting for Windows startup](troubleshoot-windows-startup.md)
+ - [Advanced troubleshooting for Windows boot problems](advanced-troubleshooting-boot-problems.md)
+ - [Advanced troubleshooting for Windows-based computer issues](troubleshoot-windows-freeze.md)
+ - [Advanced troubleshooting for stop errors or blue screen errors](troubleshoot-stop-errors.md)
+ - [Advanced troubleshooting for stop error 7B or Inaccessible_Boot_Device](troubleshoot-inaccessible-boot-device.md)
+ +## Windows 10 update history Microsoft regularly releases both updates and solutions for Windows 10. To ensure your computers can receive future updates, including security updates, it's important to keep them updated. Check out the following links for a complete list of released updates: +- [Windows 10 version 1809 update history](https://support.microsoft.com/help/4464619) - [Windows 10 version 1803 update history](https://support.microsoft.com/help/4099479) - [Windows 10 version 1709 update history](https://support.microsoft.com/help/4043454) - [Windows 10 Version 1703 update history](https://support.microsoft.com/help/4018124) @@ -23,6 +45,7 @@ Microsoft regularly releases both updates and solutions for Windows 10. To ensur These are the top Microsoft Support solutions for the most common issues experienced when using Windows 10 in an enterprise or IT pro environment. The links below include links to KB articles, updates, and library articles. ## Solutions related to installing Windows Updates + - [How does Windows Update work](https://docs.microsoft.com/en-us/windows/deployment/update/how-windows-update-works) - [Windows Update log files](https://docs.microsoft.com/en-us/windows/deployment/update/windows-update-logs) - [Windows Update troubleshooting](https://docs.microsoft.com/en-us/windows/deployment/update/windows-update-troubleshooting) @@ -34,7 +57,7 @@ These are the top Microsoft Support solutions for the most common issues experie - [Quick Fixes](https://docs.microsoft.com/en-us/windows/deployment/upgrade/quick-fixes) - [Troubleshooting upgrade errors](https://docs.microsoft.com/en-us/windows/deployment/upgrade/troubleshoot-upgrade-errors) - [Resolution procedures](https://docs.microsoft.com/en-us/windows/deployment/upgrade/resolution-procedures) -- ["0xc1800118" error when you push Windows 10 Version 1607 by using WSUS](https://support.microsoft.com/en-in/help/3194588/0xc1800118-error-when-you-push-windows-10-version-1607-by-using-wsus) +- [0xc1800118 error when you push Windows 10 Version 1607 by using WSUS](https://support.microsoft.com/en-in/help/3194588/0xc1800118-error-when-you-push-windows-10-version-1607-by-using-wsus) - [0xC1900101 error when Windows 10 upgrade fails after the second system restart](https://support.microsoft.com/en-in/help/3208485/0xc1900101-error-when-windows-10-upgrade-fails-after-the-second-system) ## Solutions related to BitLocker diff --git a/windows/configuration/TOC.md b/windows/configuration/TOC.md index c2226fc484..6be8931eeb 100644 --- a/windows/configuration/TOC.md +++ b/windows/configuration/TOC.md @@ -31,7 +31,7 @@ #### [Use AppLocker to create a Windows 10 kiosk](lock-down-windows-10-applocker.md) #### [Use Shell Launcher to create a Windows 10 kiosk](kiosk-shelllauncher.md) #### [Use MDM Bridge WMI Provider to create a Windows 10 kiosk](kiosk-mdm-bridge.md) -#### [Troubleshoot multi-app kiosk](multi-app-kiosk-troubleshoot.md) +#### [Troubleshoot kiosk mode issues](kiosk-troubleshoot.md) ## [Configure Windows Spotlight on the lock screen](windows-spotlight.md) ## [Manage Windows 10 and Microsoft Store tips, "fun facts", and suggestions](manage-tips-and-suggestions.md) ## [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) diff --git a/windows/configuration/change-history-for-configure-windows-10.md b/windows/configuration/change-history-for-configure-windows-10.md index d7be6815e1..88f01acdce 100644 --- a/windows/configuration/change-history-for-configure-windows-10.md +++ b/windows/configuration/change-history-for-configure-windows-10.md @@ -17,7 +17,13 @@ ms.date: 11/07/2018 This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for Windows 10 and Windows 10 Mobile. -## Novermber 2018 +## January 2019 + +New or changed topic | Description +--- | --- +[Prepare a device for kiosk configuration](kiosk-prepare.md) | Added how to connect to a single-app kiosk in a virtual machine (VM) for testing. + +## November 2018 New or changed topic | Description --- | --- diff --git a/windows/configuration/docfx.json b/windows/configuration/docfx.json index abe019f76c..e66228ba49 100644 --- a/windows/configuration/docfx.json +++ b/windows/configuration/docfx.json @@ -35,9 +35,8 @@ "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", "ms.technology": "windows", "ms.topic": "article", - "ms.author": "jdecker", - "ms.date": "04/05/2017", - "feedback_system": "GitHub", + "ms.author": "jdecker", + "feedback_system": "GitHub", "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", "_op_documentIdPathDepotMapping": { diff --git a/windows/configuration/images/vm-kiosk-connect.png b/windows/configuration/images/vm-kiosk-connect.png new file mode 100644 index 0000000000..2febd9d573 Binary files /dev/null and b/windows/configuration/images/vm-kiosk-connect.png differ diff --git a/windows/configuration/images/vm-kiosk.png b/windows/configuration/images/vm-kiosk.png new file mode 100644 index 0000000000..59f01c1348 Binary files /dev/null and b/windows/configuration/images/vm-kiosk.png differ diff --git a/windows/configuration/kiosk-additional-reference.md b/windows/configuration/kiosk-additional-reference.md index 9675c42d2c..56411e9638 100644 --- a/windows/configuration/kiosk-additional-reference.md +++ b/windows/configuration/kiosk-additional-reference.md @@ -31,7 +31,7 @@ Topic | Description [Use AppLocker to create a Windows 10 kiosk](lock-down-windows-10-applocker.md) | Learn how to use AppLocker to configure a kiosk device running Windows 10 Enterprise or Windows 10 Education, version 1703 and earlier, so that users can only run a few specific apps. [Use Shell Launcher to create a Windows 10 kiosk](kiosk-shelllauncher.md) | Using Shell Launcher, you can configure a kiosk device that runs a Windows desktop application as the user interface. [Use MDM Bridge WMI Provider to create a Windows 10 kiosk](kiosk-mdm-bridge.md) | Environments that use Windows Management Instrumentation (WMI) can use the MDM Bridge WMI Provider to configure the MDM_AssignedAccess class. -[Troubleshoot multi-app kiosk](multi-app-kiosk-troubleshoot.md) | Tips for troubleshooting multi-app kiosk configuration. +[Troubleshoot kiosk mode issues](kiosk-troubleshoot.md) | Tips for troubleshooting multi-app kiosk configuration. diff --git a/windows/configuration/kiosk-methods.md b/windows/configuration/kiosk-methods.md index 8f2904b128..e0121dbd6c 100644 --- a/windows/configuration/kiosk-methods.md +++ b/windows/configuration/kiosk-methods.md @@ -7,7 +7,6 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: jdeckerms -ms.date: 07/30/2018 --- # Configure kiosks and digital signs on Windows desktop editions @@ -30,6 +29,9 @@ There are several kiosk configuration methods that you can choose from, dependin ![icon that represents Windows](images/windows.png) | **Which edition of Windows 10 will the kiosk run?** All of the configuration methods work for Windows 10 Enterprise and Education; some of the methods work for Windows 10 Pro. Kiosk mode is not available on Windows 10 Home. ![icon that represents a user account](images/user.png) | **Which type of user account will be the kiosk account?** The kiosk account can be a local standard user account, a local administrator account, a domain account, or an Azure Active Directory (Azure AD) account, depending on the method that you use to configure the kiosk. If you want people to sign in and authenticate on the device, you should use a multi-app kiosk configuration. The single-app kiosk configuration doesn't require people to sign in to the device, although they can sign in to the kiosk app if you select an app that has a sign-in method. + +>[!IMPORTANT] +>Single-app kiosk mode is not supported over a remote desktop connection. Your kiosk users must sign in on the physical device that is set up as a kiosk. ## Methods for a single-app kiosk running a UWP app diff --git a/windows/configuration/kiosk-prepare.md b/windows/configuration/kiosk-prepare.md index 986da71577..515e4fa81f 100644 --- a/windows/configuration/kiosk-prepare.md +++ b/windows/configuration/kiosk-prepare.md @@ -8,7 +8,7 @@ ms.mktglfcycl: manage ms.sitesec: library author: jdeckerms ms.localizationpriority: medium -ms.date: 10/02/2018 +ms.date: 01/09/2019 --- # Prepare a device for kiosk configuration @@ -23,6 +23,12 @@ ms.date: 10/02/2018 > >Assigned access can be configured via Windows Management Instrumentation (WMI) or configuration service provider (CSP) to run its applications under a domain user or service account, rather than a local account. However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so. +>[!IMPORTANT] +>[User account control (UAC)](https://docs.microsoft.com/windows/security/identity-protection/user-account-control/user-account-control-overview) must be turned on to enable kiosk mode. +> +>Kiosk mode is not supported over a remote desktop connection. Your kiosk users must sign in on the physical device that is set up as a kiosk. + +## Configuration recommendations For a more secure kiosk experience, we recommend that you make the following configuration changes to the device before you configure it as a kiosk: @@ -231,4 +237,17 @@ The following table describes some features that have interoperability issues we + +## Testing your kiosk in a virtual machine (VM) +Customers sometimes use virtual machines (VMs) to test configurations before deploying those configurations to physical devices. If you use a VM to test your single-app kiosk configuration, you need to know how to connect to the VM properly. + +A single-app kiosk kiosk configuration runs an app above the lockscreen. It doesn't work when it's accessed remotely, which includes *enhanced* sessions in Hyper-V. + +When you connect to a VM configured as a single-app kiosk, you need a *basic* session rather than an enhanced session. In the following image, notice that **Enhanced session** is not selected in the **View** menu; that means it's a basic session. + +![VM windows, View menu, Extended session is not selected](images/vm-kiosk.png) + +To connect to a VM in a basic session, do not select **Connect** in the connection dialog, as shown in the following image, but instead, select the **X** button in the upper-right corner to cancel the dialog. + +![Do not select connect button, use close X in corner](images/vm-kiosk-connect.png) diff --git a/windows/configuration/kiosk-single-app.md b/windows/configuration/kiosk-single-app.md index 4af964b132..7c3e7243b9 100644 --- a/windows/configuration/kiosk-single-app.md +++ b/windows/configuration/kiosk-single-app.md @@ -8,7 +8,7 @@ ms.mktglfcycl: manage ms.sitesec: library author: jdeckerms ms.localizationpriority: medium -ms.date: 10/09/2018 +ms.date: 01/09/2019 --- # Set up a single-app kiosk @@ -24,6 +24,11 @@ ms.date: 10/09/2018 --- | --- A single-app kiosk uses the Assigned Access feature to run a single app above the lockscreen.

When the kiosk account signs in, the app is launched automatically. The person using the kiosk cannot do anything on the device outside of the kiosk app. | ![Illustration of a single-app kiosk experience](images/kiosk-fullscreen-sm.png) +>[!IMPORTANT] +>[User account control (UAC)](https://docs.microsoft.com/windows/security/identity-protection/user-account-control/user-account-control-overview) must be turned on to enable kiosk mode. +> +>Kiosk mode is not supported over a remote desktop connection. Your kiosk users must sign in on the physical device that is set up as a kiosk. + You have several options for configuring your single-app kiosk. Method | Description diff --git a/windows/configuration/multi-app-kiosk-troubleshoot.md b/windows/configuration/kiosk-troubleshoot.md similarity index 64% rename from windows/configuration/multi-app-kiosk-troubleshoot.md rename to windows/configuration/kiosk-troubleshoot.md index d724cae559..321d899394 100644 --- a/windows/configuration/multi-app-kiosk-troubleshoot.md +++ b/windows/configuration/kiosk-troubleshoot.md @@ -1,5 +1,5 @@ --- -title: Troubleshoot multi-app kiosk (Windows 10) +title: Troubleshoot kiosk mode issues (Windows 10) description: Tips for troubleshooting multi-app kiosk configuration. ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8 keywords: ["lockdown", "app restrictions"] @@ -9,19 +9,34 @@ ms.sitesec: library ms.pagetype: edu, security author: jdeckerms ms.localizationpriority: medium -ms.date: 10/09/2018 ms.author: jdecker ms.topic: article --- -# Troubleshoot multi-app kiosk +# Troubleshoot kiosk mode issues **Applies to** - Windows 10 -## Unexpected results +## Single-app kiosk issues + +>[!TIP] +>We recommend that you [enable logging for kiosk issues](kiosk-prepare.md#enable-logging). For some failures, events are only captured once. If you enable logging after an issue occurs with your kiosk, the logs may not capture those one-time events. In that case, prepare a new kiosk environment (such as a [virtual machine (VM)](kiosk-prepare.md#test-vm)), set up your kiosk account and configuration, and try to reproduce the problem. + +### Sign-in issues + +1. Verify that User Account Control (UAC) is turned on. +2. Check the Event Viewer logs for sign-in issues under **Applications and Services Logs\Microsoft\Windows\Authentication User Interface\Operational**. + +### Automatic logon issues + +Check the Event Viewer logs for auto logon issues under **Applications and Services Logs\Microsoft\Windows\Authentication User Interface\Operational**. + +## Multi-app kiosk issues + +### Unexpected results For example: - Start is not launched in full-screen @@ -39,17 +54,17 @@ For example: ![Event Viewer, right-click Operational, select enable log](images/enable-assigned-access-log.png) -## Automatic logon issues +### Automatic logon issues Check the Event Viewer logs for auto logon issues under **Applications and Services Logs\Microsoft\Windows\Authentication User Interface\Operational**. -## Apps configured in AllowedList are blocked +### Apps configured in AllowedList are blocked 1. Ensure the account is mapped to the correct profile and that the apps are specific for that profile. 2. Check the EventViewer logs for Applocker and AppxDeployment (under **Application and Services Logs\Microsoft\Windows**). -## Start layout not as expected +### Start layout not as expected - Make sure the Start layout is authored correctly. Ensure that the attributes **Size**, **Row**, and **Column** are specified for each application and are valid. - Check if the apps included in the Start layout are installed for the assigned access user. diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md index 232a0d1e60..caa9d860ab 100644 --- a/windows/configuration/lock-down-windows-10-to-specific-apps.md +++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: edu, security author: jdeckerms ms.localizationpriority: medium -ms.date: 10/02/2018 +ms.date: 01/09/2019 ms.author: jdecker ms.topic: article --- @@ -39,6 +39,9 @@ New features and improvements | In update You can configure multi-app kiosks using [Microsoft Intune](#intune) or a [provisioning package](#provision). + + + ## Configure a kiosk in Microsoft Intune @@ -399,7 +402,7 @@ Before applying the multi-app configuration, make sure the specified user accoun Group accounts are specified using ``. Nested groups are not supported. For example, if user A is member of Group 1, Group 1 is member of Group 2, and Group 2 is used in ``, user A will not have the kiosk experience. -- Local group: Specify the group type as **LocalGroup** and put the group name in Name attribute. +- Local group: Specify the group type as **LocalGroup** and put the group name in Name attribute. Any Azure AD accounts that are added to the local group will not have the kiosk settings applied. ```xml @@ -416,7 +419,7 @@ Group accounts are specified using ``. Nested groups are not supporte ``` -- Azure AD group: Use the group object ID from the Azure portal to uniquely identify the group in the Name attribute. You can find the object ID on the overview page for the group in **Users and groups** > **All groups**. Specify the group type as **AzureActiveDirectoryGroup**. +- Azure AD group: Use the group object ID from the Azure portal to uniquely identify the group in the Name attribute. You can find the object ID on the overview page for the group in **Users and groups** > **All groups**. Specify the group type as **AzureActiveDirectoryGroup**. The kiosk device must have internet connectivity when users that belong to the group sign in. ```xml diff --git a/windows/configuration/ue-v/uev-getting-started.md b/windows/configuration/ue-v/uev-getting-started.md index 301f4a7b07..de3fecb42b 100644 --- a/windows/configuration/ue-v/uev-getting-started.md +++ b/windows/configuration/ue-v/uev-getting-started.md @@ -47,7 +47,7 @@ You’ll need to deploy a settings storage location, a standard network share wh **Create a network share** -1. Create a new security group and add UE-V users to it. +1. Create a new security group and add UE-V users to the group. 2. Create a new folder on the centrally located computer that stores the UE-V settings packages, and then grant the UE-V users access with group permissions to the folder. The administrator who supports UE-V must have permissions to this shared folder. @@ -80,7 +80,7 @@ For evaluation purposes, enable the service on at least two devices that belong The UE-V service is the client-side component that captures user-personalized application and Windows settings and saves them in settings packages. Settings packages are built, locally stored, and copied to the settings storage location. Before enabling the UE-V service, you'll need to register the UE-V templates for first use. In a PowerShell window, type `Register-UevTemplate [TemplateName]` where **TemplateName** is the name of the UE-V template you want to register, and press ENTER. For instance, to register all built-in UE-V templates, use the following PowerShell Command: -'Get-childItem c:\programdata\Microsoft\UEV\InboxTemplates\*.xml|% {Register-UevTemplate $_.Fullname}' +`Get-childItem c:\programdata\Microsoft\UEV\InboxTemplates\*.xml|% {Register-UevTemplate $_.Fullname}` A storage path must be configured on the client-side to tell where the personalized settings are stored. diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md index 00acdc9318..a08f94fb6c 100644 --- a/windows/deployment/TOC.md +++ b/windows/deployment/TOC.md @@ -212,9 +212,10 @@ ### [Change history for deploy Windows 10](change-history-for-deploy-windows-10.md) ## [Update Windows 10](update/index.md) -### [Quick guide to Windows as a service](update/waas-quick-start.md) -#### [Servicing stack updates](update/servicing-stack-updates.md) -### [Overview of Windows as a service](update/waas-overview.md) +### [Windows as a service](update/windows-as-a-service.md) +#### [Quick guide to Windows as a service](update/waas-quick-start.md) +##### [Servicing stack updates](update/servicing-stack-updates.md) +#### [Overview of Windows as a service](update/waas-overview.md) ### [Understand how servicing differs in Windows 10](update/waas-servicing-differences.md) ### [Prepare servicing strategy for Windows 10 updates](update/waas-servicing-strategy-windows-10-updates.md) ### [Build deployment rings for Windows 10 updates](update/waas-deployment-rings-windows-10-updates.md) diff --git a/windows/deployment/deploy-m365.md b/windows/deployment/deploy-m365.md index f45a135986..125eee189b 100644 --- a/windows/deployment/deploy-m365.md +++ b/windows/deployment/deploy-m365.md @@ -7,7 +7,6 @@ ms.sitesec: library ms.pagetype: deploy keywords: deployment, automate, tools, configure, mdt, sccm, M365 ms.localizationpriority: medium -ms.date: 11/06/2018 author: greg-lindsay --- @@ -19,7 +18,7 @@ author: greg-lindsay This topic provides a brief overview of Microsoft 365 and describes how to use a free 90-day trial account to review some of the benefits of Microsoft 365. -[Microsoft 365](https://www.microsoft.com/microsoft-365) is a new offering from Microsoft that combines [Windows 10](https://www.microsoft.com/windows/features) with [Office 365](https://products.office.com/business/explore-office-365-for-business), and [Enterprise Mobility and Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) (EMS). +[Microsoft 365](https://www.microsoft.com/microsoft-365) is a new offering from Microsoft that combines [Windows 10](https://www.microsoft.com/windows/features) with [Office 365](https://products.office.com/business/explore-office-365-for-business), and [Enterprise Mobility and Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) (EMS). See the [M365 Enterprise poster](#m365-enterprise-poster) for an overview. For Windows 10 deployment, Microsoft 365 includes a fantastic deployment advisor that can walk you through the entire process of deploying Windows 10. The wizard supports multiple Windows 10 deployment methods, including: @@ -53,6 +52,10 @@ Examples of these two deployment advisors are shown below. ## Windows Analytics deployment advisor example ![Windows Analytics deployment advisor](images/wada.png) +## M365 Enterprise poster + +[![M365 Enterprise poster](images/m365e.png)](http://aka.ms/m365eposter) + ## Related Topics [Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)
diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md index 4e9ee7e411..e7d62d3cd1 100644 --- a/windows/deployment/deploy-whats-new.md +++ b/windows/deployment/deploy-whats-new.md @@ -7,7 +7,7 @@ ms.localizationpriority: medium ms.prod: w10 ms.sitesec: library ms.pagetype: deploy -ms.date: 12/07/2018 +ms.date: 12/18/2018 author: greg-lindsay --- @@ -23,6 +23,10 @@ This topic provides an overview of new solutions and online content related to d - For an all-up overview of new features in Windows 10, see [What's new in Windows 10](https://technet.microsoft.com/itpro/windows/whats-new/index). - For a detailed list of changes to Windows 10 ITPro TechNet library content, see [Online content change history](#online-content-change-history). +## Recent additions to this page + +[SetupDiag](#setupdiag) 1.4 is released. + ## The Modern Desktop Deployment Center The [Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home) has launched with tons of content to help you with large-scale deployment of Windows 10 and Office 365 ProPlus. @@ -56,6 +60,12 @@ Windows Autopilot streamlines and automates the process of setting up and config Windows Autopilot joins devices to Azure Active Directory (Azure AD), optionally enrolls into MDM services, configures security policies, and sets a custom out-of-box-experience (OOBE) for the end user. For more information, see [Overview of Windows Autopilot](windows-autopilot/windows-autopilot.md). +### SetupDiag + +[SetupDiag](upgrade/setupdiag.md) is a standalone diagnostic tool that can be used to obtain details about why a Windows 10 upgrade was unsuccessful. + +SetupDiag version 1.4 was released on 12/18/2018. + ### Upgrade Readiness The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017. @@ -145,5 +155,3 @@ The following topics provide a change history for Windows 10 ITPro TechNet libra
[Windows 10 Specifications & Systems Requirements](https://www.microsoft.com/en-us/windows/windows-10-specifications)
[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md)
[Windows 10 deployment tools](windows-deployment-scenarios-and-tools.md) - - \ No newline at end of file diff --git a/windows/deployment/docfx.json b/windows/deployment/docfx.json index e722db5465..0b6ae0597d 100644 --- a/windows/deployment/docfx.json +++ b/windows/deployment/docfx.json @@ -37,7 +37,6 @@ "ms.technology": "windows", "ms.topic": "article", "ms.author": "greglin", - "ms.date": "04/05/2017", "feedback_system": "GitHub", "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", diff --git a/windows/deployment/images/m365e.png b/windows/deployment/images/m365e.png new file mode 100644 index 0000000000..2f3ea14906 Binary files /dev/null and b/windows/deployment/images/m365e.png differ diff --git a/windows/deployment/s-mode.md b/windows/deployment/s-mode.md index 51f0ecee10..4c54a99d29 100644 --- a/windows/deployment/s-mode.md +++ b/windows/deployment/s-mode.md @@ -38,7 +38,7 @@ Windows 10 in S mode is built for [modern management](https://docs.microsoft.com ## Keep line of business apps functioning with Desktop Bridge -Worried about your line of business apps not working in S mode? [Desktop Bridge](https://docs.microsoft.com/windows/uwp/porting/desktop-to-uwp-root) enables you to convert your line of buisness apps to a packaged app with UWP manifest. After testing and validating you can distribute the app through the Microsoft Store, making it ideal for Windows 10 in S mode. +Worried about your line of business apps not working in S mode? [Desktop Bridge](https://docs.microsoft.com/windows/uwp/porting/desktop-to-uwp-root) enables you to convert your line of business apps to a packaged app with UWP manifest. After testing and validating you can distribute the app through the Microsoft Store, making it ideal for Windows 10 in S mode. ## Repackage Win32 apps into the MSIX format diff --git a/windows/deployment/update/update-compliance-monitor.md b/windows/deployment/update/update-compliance-monitor.md index 25fac89570..b6828c6943 100644 --- a/windows/deployment/update/update-compliance-monitor.md +++ b/windows/deployment/update/update-compliance-monitor.md @@ -34,12 +34,12 @@ See the following topics in this guide for detailed information about configurin ## Update Compliance architecture -The Update Compliance architecture and data flow is summarized by the following five-step process: +The Update Compliance architecture and data flow is summarized by the following four-step process: -**(1)** User computers send diagnostic data to a secure Microsoft data center using the Microsoft Data Management Service.
-**(2)** Diagnostic data is analyzed by the Update Compliance Data Service.
-**(3)** Diagnostic data is pushed from the Update Compliance Data Service to your Azure Monitor workspace.
-**(4)** Diagnostic data is available in the Update Compliance solution.
+1. User computers send diagnostic data to a secure Microsoft data center using the Microsoft Data Management Service.
+2. Diagnostic data is analyzed by the Update Compliance Data Service.
+3. Diagnostic data is pushed from the Update Compliance Data Service to your Azure Monitor workspace.
+4. Diagnostic data is available in the Update Compliance solution.
>[!NOTE] @@ -51,4 +51,4 @@ The Update Compliance architecture and data flow is summarized by the following ## Related topics [Get started with Update Compliance](update-compliance-get-started.md)
-[Use Update Compliance to monitor Windows Updates](update-compliance-using.md) \ No newline at end of file +[Use Update Compliance to monitor Windows Updates](update-compliance-using.md) diff --git a/windows/deployment/update/waas-morenews.md b/windows/deployment/update/waas-morenews.md new file mode 100644 index 0000000000..a8a889c72c --- /dev/null +++ b/windows/deployment/update/waas-morenews.md @@ -0,0 +1,19 @@ +--- +title: Windows as a service +ms.prod: w10 +ms.topic: article +ms.manager: elizapo +author: lizap +ms.author: elizapo +ms.date: 12/19/2018 +ms.localizationpriority: high +--- +# Windows as a service - More news + +Here's more news about [Windows as a service](windows-as-a-service.md): + + \ No newline at end of file diff --git a/windows/deployment/update/windows-analytics-get-started.md b/windows/deployment/update/windows-analytics-get-started.md index 1ea7a5532f..eda470b750 100644 --- a/windows/deployment/update/windows-analytics-get-started.md +++ b/windows/deployment/update/windows-analytics-get-started.md @@ -1,14 +1,14 @@ --- title: Enrolling devices in Windows Analytics (Windows 10) description: Enroll devices to enable use of Update Compliance, Upgrade Readiness, and Device Health in Windows Analytics. -keywords: windows analytics, oms, operations management suite, prerequisites, requirements, updates, upgrades, log analytics, health +keywords: windows analytics, oms, operations management suite, prerequisites, requirements, updates, upgrades, log analytics, health, azure portal ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy author: jaimeo ms.author: jaimeo -ms.date: 11/01/2018 +ms.date: 01/09/2019 ms.localizationpriority: medium --- @@ -51,7 +51,7 @@ To enable data sharing, configure your proxy server to whitelist the following e | `https://eaus2watcab02.blob.core.windows.net` | Windows Error Reporting (WER); required for Device Health and Update Compliance AV reports in Windows 10, version 1809 or later. Not used by Upgrade Readiness. | | `https://weus2watcab01.blob.core.windows.net` | Windows Error Reporting (WER); required for Device Health and Update Compliance AV reports in Windows 10, version 1809 or later. Not used by Upgrade Readiness. | | `https://weus2watcab02.blob.core.windows.net` | Windows Error Reporting (WER); required for Device Health and Update Compliance AV reports in Windows 10, version 1809 or later. Not used by Upgrade Readiness. | -| `https://v10c.events.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for use with devices runningrunning Windows 10, version 1703 or later **that also have the 2018-09 Cumulative Update (KB4458469, KB4457136, KB4457141) or later installed** | +| `https://v10c.events.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for use with devices running Windows 10, version 1803 or later **that also have the 2018-09 Cumulative Update (KB4458469, KB4457136, KB4457141) or later installed** | | `https://v10.events.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for use with Windows 10, version 1803 *without* the 2018-09 Cumulative Update installed | | `https://v10.vortex-win.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1709 or earlier | | `https://vortex-win.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for operating systems older than Windows 10 | diff --git a/windows/deployment/update/windows-as-a-service.md b/windows/deployment/update/windows-as-a-service.md index 2864e9cf63..00e3d4fd12 100644 --- a/windows/deployment/update/windows-as-a-service.md +++ b/windows/deployment/update/windows-as-a-service.md @@ -6,7 +6,6 @@ ms.topic: landing-page ms.manager: elizapo author: lizap ms.author: elizapo -ms.date: 12/12/2018 ms.localizationpriority: high --- # Windows as a service @@ -24,7 +23,9 @@ Windows 10 is the most secure version of Windows yet. Learn what updates we rele The latest news: +
  • Windows Update for Business - Enhancements, diagnostics, configuration - June 7, 2018 -[See more news](https://techcommunity.microsoft.com/t5/Windows-10-Blog/bg-p/Windows10Blog) +[See more news](waas-morenews.md). You can also check out the [Windows 10 blog](https://techcommunity.microsoft.com/t5/Windows-10-Blog/bg-p/Windows10Blog). ## IT pro champs corner Written by IT pros for IT pros, sharing real world examples and scenarios for Windows 10 deployment and servicing. @@ -134,4 +133,4 @@ Looking to learn more? These informative session replays from Microsoft Ignite 2 [THR2234: Windows servicing and delivery fundamentals](https://myignite.techcommunity.microsoft.com/sessions/66741#ignite-html-anchor) -[THR3006: The pros and cons of LTSC in the enterprise](https://myignite.techcommunity.microsoft.com/sessions/64512#ignite-html-anchor) \ No newline at end of file +[THR3006: The pros and cons of LTSC in the enterprise](https://myignite.techcommunity.microsoft.com/sessions/64512#ignite-html-anchor) diff --git a/windows/deployment/upgrade/setupdiag.md b/windows/deployment/upgrade/setupdiag.md index dee55745d3..53856948d2 100644 --- a/windows/deployment/upgrade/setupdiag.md +++ b/windows/deployment/upgrade/setupdiag.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy author: greg-lindsay -ms.date: 08/16/2018 +ms.date: 12/18/2018 ms.localizationpriority: medium --- @@ -24,7 +24,7 @@ ms.localizationpriority: medium ## About SetupDiag -Current version of SetupDiag: 1.3.1.0 +Current version of SetupDiag: 1.4.0.0 SetupDiag is a standalone diagnostic tool that can be used to obtain details about why a Windows 10 upgrade was unsuccessful. @@ -61,11 +61,14 @@ The [Release notes](#release-notes) section at the bottom of this topic has info | --- | --- | | /? |
    • Displays interactive help
    | | /Output:\ |
    • This optional parameter enables you to specify the output file for results. This is where you will find what SetupDiag was able to determine. Only text format output is supported. UNC paths will work, provided the context under which SetupDiag runs has access to the UNC path. If the path has a space in it, you must enclose the entire path in double quotes (see the example section below).
    • Default: If not specified, SetupDiag will create the file **SetupDiagResults.log** in the same directory where SetupDiag.exe is run.
    | -| /Mode:\ |
    • This optional parameter allows you to specify the mode in which SetupDiag will operate: Offline or Online.
    • Offline: tells SetupDiag to run against a set of log files already captured from a failed system. In this mode you can run anywhere you have access to the log files. This mode does not require SetupDiag to be run on the computer that failed to update. When you specify offline mode, you must also specify the /LogsPath: parameter.
    • Online: tells SetupDiag that it is being run on the computer that failed to update. SetupDiag will attempt find log files and resources in standard Windows locations, such as the **%SystemDrive%\$Windows.~bt** directory for setup log files.
    • Log file search paths are configurable in the SetupDiag.exe.config file, under the SearchPath key. Search paths are comma separated. Note: A large number of search paths will extend the time required for SetupDiag to return results.
    • Default: If not specified, SetupDiag will run in Online mode.
    | -| /LogsPath:\ |
    • This optional parameter is required only when **/Mode:Offline** is specified. This tells SetupDiag.exe where to find the log files. These log files can be in a flat folder format, or containing multiple subdirectories. SetupDiag will recursively search all child directories. This parameter should be omitted when the **/Mode:Online** is specified.
    | +| /LogsPath:\ |
    • This optional parameter tells SetupDiag.exe where to find the log files for an offline analysis. These log files can be in a flat folder format, or containing multiple subdirectories. SetupDiag will recursively search all child directories.
    | | /ZipLogs:\ |
    • This optional parameter tells SetupDiag.exe to create a zip file containing the results and all the log files it parsed. The zip file is created in the same directory where SetupDiag.exe is run.
    • Default: If not specified, a value of 'true' is used.
    | -| /Verbose |
    • This optional parameter will output much more data to the log file produced by SetupDiag.exe. By default SetupDiag will only produce a log file entry for serious errors. Using **/Verbose** will cause SetupDiag to always produce a log file with debugging details, which can be useful when reporting a problem with SetupDiag.
    | +| /Verbose |
    • This optional parameter will output much more data to a log file. By default, SetupDiag will only produce a log file entry for serious errors. Using **/Verbose** will cause SetupDiag to always produce an additional log file with debugging details. These details can be useful when reporting a problem with SetupDiag.
    | | /Format:\ |
    • This optional parameter can be used to output log files in xml or JSON format. If this parameter is not specified, text format is used by default.
    | +| /NoTel |
    • This optional parameter tells SetupDiag.exe not to send diagnostic telemetry to Microsoft.
    | + +Note: The **/Mode** parameter is deprecated in version 1.4.0.0 of SetupDiag. +- In previous versions, this command was used with the LogsPath parameter to specify that SetupDiag should run in an offline manner to analyze a set of log files that were captured from a different computer. In version 1.4.0.0 when you specify /LogsPath then SetupDiag will automatically run in offline mode, therefore the /Mode parameter is not needed. ### Examples: @@ -75,10 +78,10 @@ In the following example, SetupDiag is run with default parameters (online mode, SetupDiag.exe ``` -In the following example, SetupDiag is specified to run in Online mode (this is the default). It will know where to look for logs on the current (failing) system, so there is no need to gather logs ahead of time. A custom location for results is specified. +In the following example, SetupDiag is run in online mode (this is the default). It will know where to look for logs on the current (failing) system, so there is no need to gather logs ahead of time. A custom location for results is specified. ``` -SetupDiag.exe /Output:C:\SetupDiag\Results.log /Mode:Online +SetupDiag.exe /Output:C:\SetupDiag\Results.log ``` The following example uses the /Output parameter to save results to a path name that contains a space: @@ -90,7 +93,7 @@ SetupDiag /Output:"C:\Tools\SetupDiag\SetupDiag Results\Results.log" The following example specifies that SetupDiag is to run in offline mode, and to process the log files found in **D:\Temp\Logs\LogSet1**. ``` -SetupDiag.exe /Output:C:\SetupDiag\Results.log /Mode:Offline /LogsPath:D:\Temp\Logs\LogSet1 +SetupDiag.exe /Output:C:\SetupDiag\Results.log /LogsPath:D:\Temp\Logs\LogSet1 ``` ## Log files @@ -111,7 +114,7 @@ When Microsoft Windows encounters a condition that compromises safe system opera If crash dumps [are enabled](https://docs.microsoft.com/windows-hardware/drivers/debugger/enabling-a-kernel-mode-dump-file) on the system, a crash dump file is created. If the bug check occurs during an upgrade, Windows Setup will extract a minidump (setupmem.dmp) file. SetupDiag can also debug these setup related minidumps. To debug a setup related bug check, you must: -- Specify the **/Mode:Offline** and **/LogsPath** parameters. You cannot debug memory dumps in online mode. +- Specify the **/LogsPath** parameter. You cannot debug memory dumps in online mode. - Gather the setup memory dump file (setupmem.dmp) from the failing system. - Setupmem.dmp will be created in either **%SystemDrive%\$Windows.~bt\Sources\Rollback**, or in **%WinDir%\Panther\NewOS\Rollback** depending on when the bug check occurs. - Install the [Windows Debugging Tools](https://docs.microsoft.com/windows-hardware/drivers/debugger/debugger-download-tools) on the computer that runs SetupDiag. @@ -119,7 +122,7 @@ To debug a setup related bug check, you must: In the following example, the **setupmem.dmp** file is copied to the **D:\Dump** directory and the Windows Debugging Tools are installed prior to running SetupDiag: ``` -SetupDiag.exe /Output:C:\SetupDiag\Dumpdebug.log /Mode:Offline /LogsPath:D:\Dump +SetupDiag.exe /Output:C:\SetupDiag\Dumpdebug.log /LogsPath:D:\Dump ``` ## Known issues @@ -135,10 +138,10 @@ The following is an example where SetupDiag is run in offline mode. In this exam The output also provides an error code 0xC1900208 - 0x4000C which corresponds to a compatibility issue as documented in the [Upgrade error codes](upgrade-error-codes.md#result-codes) and [Resolution procedures](resolution-procedures.md#modern-setup-errors) topics in this article. ``` -C:\SetupDiag>SetupDiag.exe /Output:C:\SetupDiag\Results.log /Mode:Offline /LogsPath:C:\Temp\BobMacNeill +C:\SetupDiag>SetupDiag.exe /Output:C:\SetupDiag\Results.log /LogsPath:C:\Temp\BobMacNeill -SetupDiag v1.01 -Copyright (c) Microsoft Corporation. All rights reserved +SetupDiag v1.4.0.0 +Copyright (c) Microsoft Corporation. All rights reserved. Searching for setup logs, this can take a minute or more depending on the number and size of the logs...please wait. Found 4 setupact.logs. @@ -365,16 +368,42 @@ Each rule name and its associated unique rule identifier are listed with a descr 40. UpdateAgentExpanderFailure – 66E496B3-7D19-47FA-B19B-4040B9FD17E2 - Matches DPX expander failures in the down-level phase of update from WU. Will output the package name, function, expression and error code. 41. FindFatalPluginFailure – E48E3F1C-26F6-4AFB-859B-BF637DA49636 - - Matches any plug in failure that setupplatform decides is fatal to setup. Will output the plugin name, operation and error code. + - Matches any plug-in failure that setupplatform decides is fatal to setup. Will output the plugin name, operation and error code. 42. AdvancedInstallerFailed - 77D36C96-32BE-42A2-BB9C-AAFFE64FCADC - Indicates critical failure in the AdvancedInstaller while running an installer package, includes the .exe being called, the phase, mode, component and error codes. 43. MigrationAbortedDueToPluginFailure - D07A24F6-5B25-474E-B516-A730085940C9 - - Indicates a critical failure in a migration plugin that causes setup to abort the migration. Will provide the setup operation, plug in name, plug in action and error code. + - Indicates a critical failure in a migration plugin that causes setup to abort the migration. Will provide the setup operation, plug-in name, plug-in action and error code. 44. DISMAddPackageFailed - 6196FF5B-E69E-4117-9EC6-9C1EAB20A3B9 - Indicates a critical failure during a DISM add package operation. Will specify the Package Name, DISM error and add package error code. +45. PlugInComplianceBlock - D912150B-1302-4860-91B5-527907D08960 + - Detects all compat blocks from Server compliance plug-ins. Outputs the block information and remediation. +46. AdvancedInstallerGenericFailure - 4019550D-4CAA-45B0-A222-349C48E86F71 + - Triggers on advanced installer failures in a generic sense, outputting the application called, phase, mode, component and error code. +47. FindMigGatherApplyFailure - A9964E6C-A2A8-45FF-B6B5-25E0BD71428E + - Shows errors when the migration Engine fails out on a gather or apply operation. Indicates the Migration Object (file or registry path), the Migration +48. OptionalComponentFailedToGetOCsFromPackage - D012E2A2-99D8-4A8C-BBB2-088B92083D78 + - Indicates the optional component (OC) migration operation failed to enumerate optional components from an OC Package. Outputs the package name and error code. +49. OptionalComponentOpenPackageFailed - 22952520-EC89-4FBD-94E0-B67DF88347F6 + - Indicates the optional component migration operation failed to open an optional component Package. Outputs the package name and error code. +50. OptionalComponentInitCBSSessionFailed - 63340812-9252-45F3-A0F2-B2A4CA5E9317 + - Indicates corruption in the servicing stack on the down-level system. Outputs the error code encountered while trying to initialize the servicing component on the existing OS. +51. DISMproviderFailure - D76EF86F-B3F8-433F-9EBF-B4411F8141F4 + - Triggers when a DISM provider (plug-in) fails in a critical operation. Outputs the file (plug-in name), function called + error code, and error message from the provider. +52. SysPrepLaunchModuleFailure - 7905655C-F295-45F7-8873-81D6F9149BFD + - Indicates a sysPrep plug-in has failed in a critical operation. Indicates the plug-in name, operation name and error code. +53. UserProvidedDriverInjectionFailure - 2247C48A-7EE3-4037-AFAB-95B92DE1D980 + - A driver provided to setup (via command line input) has failed in some way. Outputs the driver install function and error code. ## Release notes +12/18/2018 - SetupDiag v1.4.0.0 is released with 53 rules, as a standalone tool available from the Download Center. + - This release includes major improvements in rule processing performance: ~3x faster rule processing performance! + - The FindDownlevelFailure rule is up to 10x faster. + - New rules have been added to analyze failures upgrading to Windows 10 version 1809. + - A new help link is available for resolving servicing stack failures on the down-level OS when the rule match indicates this type of failure. + - Removed the need to specify /Mode parameter. Now if you specify /LogsPath, it automatically assumes offline mode. + - Some functional and output improvements were made for several rules. + 07/16/2018 - SetupDiag v1.3.1 is released with 44 rules, as a standalone tool available from the Download Center. - This release fixes a problem that can occur when running SetupDiag in online mode on a computer that produces a setupmem.dmp file, but does not have debugger binaries installed. diff --git a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md index 5c83f04180..a5337198d6 100644 --- a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md +++ b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md @@ -129,7 +129,7 @@ Error creating or updating registry key: **CommercialId** at **HKLM:\SOFTWARE\Mi | 42 - Function **StartImpersonatingLoggedOnUser** failed with an unexpected exception. | Check the logs for the exception message and HResult. | | 43 - Function **EndImpersonatingLoggedOnUser** failed with an unexpected exception. | Check the logs for the exception message and HResult. | | 44 - Diagtrack.dll version is old, so Auth Proxy will not work. | Update the device using Windows Update or Windows Server Update Services. | -| 45 - Diagrack.dll was not found. | Update the device using Windows Update or Windows Server Update Services. | +| 45 - Diagtrack.dll was not found. | Update the device using Windows Update or Windows Server Update Services. | | 48 - **CommercialID** mentioned in RunConfig.bat should be a GUID. | Copy the commercialID from your workspace. To find the commercialID, in the OMS portal click **Upgrade Readiness > Settings**. | | 50 - Diagtrack Service is not running. | The Diagtrack service is required to send data to Microsoft. Enable and run the "Connected User Experiences and Telemetry" service. | | 51 - RunCensus failed with an unexpected exception. | RunCensus explitly runs the process used to collect device information. The method failed with an unexpected exception. Check the ExceptionHResult and ExceptionMessage for more details. | diff --git a/windows/deployment/windows-autopilot/windows-autopilot.md b/windows/deployment/windows-autopilot/windows-autopilot.md index df329861e8..0cf15ed303 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot.md +++ b/windows/deployment/windows-autopilot/windows-autopilot.md @@ -9,16 +9,16 @@ ms.sitesec: library ms.pagetype: deploy author: greg-lindsay ms.author: greg-lindsay -ms.date: 10/02/2018 +ms.date: 01/03/2018 --- # Overview of Windows Autopilot **Applies to** -- Windows 10 +- Windows 10 -Windows Autopilot is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. In addition, you can use Windows Autopilot to reset, repurpose and recover devices.
    +Windows Autopilot is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. You can also use Windows Autopilot to reset, repurpose and recover devices.
    This solution enables an IT department to achieve the above with little to no infrastructure to manage, with a process that's easy and simple. Windows Autopilot is designed to simplify all parts of the lifecycle of Windows devices, for both IT and end users, from initial deployment through the eventual end of life. Leveraging cloud-based services, it can reduce the overall costs for deploying, managing, and retiring devices by reducing the amount of time that IT needs to spend on these processes and the amount of infrastructure that they need to maintain, while ensuring ease of use for all types of end users. @@ -34,121 +34,41 @@ Once deployed, Windows 10 devices can be managed by tools such as Microsoft Intu The following video shows the process of setting up Windows Autopilot:
    - + + ## Benefits of Windows Autopilot -Traditionally, IT pros spend a lot of time on building and customizing images that will later be deployed to devices with a perfectly good OS already installed on them. Windows Autopilot introduces a new approach. +Traditionally, IT pros spend a lot of time building and customizing images that will later be deployed to devices. Windows Autopilot introduces a new approach. -From the users' perspective, it only takes a few simple operations to make their device ready to use. +From the user's perspective, it only takes a few simple operations to make their device ready to use. -From the IT pros' perspective, the only interaction required from the end user, is to connect to a network and to verify their credentials. Everything past that is automated. +From the IT pro's perspective, the only interaction required from the end user is to connect to a network and to verify their credentials. Everything past that is automated. + +## Requirements + +Windows 10 version 1703 or higher is required to use Windows Autopilot. The following editions are supported: +- Pro +- Pro Education +- Pro for Workstations +- Enterprise +- Education + +See [Windows Autopilot requirements](windows-autopilot-requirements.md) for detailed information on configuration, network, and licensing requirements. ## Windows Autopilot Scenarios -### Cloud-Driven +Windows Autopilot enables you to pre-register devices to your organization so that they will be fully configured with no additional intervention required by the user. -The Cloud-Driven scenario enables you to pre-register devices through the Windows Autopilot Deployment Program. Your devices will be fully configured with no additional intervention required on the users' side. +Windows Autopilot enables you to: +* Automatically join devices to Azure Active Directory (Azure AD) or Active Directory (via Hybrid Azure AD Join). See [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction) for more information about the differences between these two join options. +* Auto-enroll devices into MDM services, such as Microsoft Intune ([*Requires an Azure AD Premium subscription*](#prerequisites)). +* Restrict the Administrator account creation. +* Create and auto-assign devices to configuration groups based on a device's profile. +* Customize OOBE content specific to the organization. -#### The Windows Autopilot Deployment Program experience +See [Windows Autopilot scenarios](https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot-scenarios) for more information about scenarios for using Windows Autopilot. -The Windows Autopilot Deployment Program enables you to: -* Automatically join devices to Azure Active Directory (Azure AD) -* Auto-enroll devices into MDM services, such as Microsoft Intune ([*Requires an Azure AD Premium subscription*](#prerequisites)) -* Restrict the Administrator account creation -* Create and auto-assign devices to configuration groups based on a device's profile -* Customize OOBE content specific to the organization - -##### Prerequisites - ->[!NOTE] ->Today, Windows Autopilot user-driven mode supports joining devices to Azure Active Directory. Support for Hybrid Azure Active Directory Join (with devices joined to an on-premises Active Directory domain) will be available in a future Windows 10 release. See [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction) for more information about the differences between these two join options. - -* [Devices must be registered to the organization](#device-registration-and-oobe-customization) -* [Company branding needs to be configured](#configure-company-branding-for-oobe) -* [Network connectivity to cloud services used by Windows Autopilot](#network-connectivity-requirements) -* Devices have to be pre-installed with Windows 10 Professional, Enterprise or Education, of version 1703 or later -* Devices must have access to the internet -* [Azure AD Premium P1 or P2](https://www.microsoft.com/cloud-platform/azure-active-directory-features) -* [Users must be allowed to join devices into Azure AD](https://docs.microsoft.com/azure/active-directory/device-management-azure-portal) -* Microsoft Intune or other MDM services to manage your devices - -The end-user unboxes and turns on a new device. What follows are a few simple configuration steps: -* Select a language and keyboard layout -* Connect to the network -* Provide email address (the email address of the user's Azure AD account) and password - -Multiple additional settings are skipped here, since the device automatically recognizes that [it belongs to an organization](#registering-devices-to-your-organization). Following this process the device is joined to Azure AD, enrolled in Microsoft Intune (or any other MDM service). - -MDM enrollment ensures policies are applied, apps are installed and setting are configured on the device. Windows Update for Business applies the latest updates to ensure the device is up to date. - -
    - - -#### Device registration and OOBE customization - -To register devices, you will need to acquire their hardware ID and register it. We are actively working with various hardware vendors to enable them to provide the required information to you, or upload it on your behalf. - -If you would like to capture that information by yourself, you can use the [Get-WindowsAutopilotInfo PowerShell script](https://www.powershellgallery.com/packages/Get-WindowsAutopilotInfo), which will generate a .csv file with the device's hardware ID. - -Once devices are registered, these are the OOBE customization options available for Windows 10, starting with version 1703: -* Skipping Work or Home usage selection (*Automatic*) -* Skipping OEM registration, OneDrive and Cortana (*Automatic*) -* Skipping privacy settings -* Skipping EULA (*starting with Windows 10, version 1709*) -* Preventing the account used to set-up the device from getting local administrator permissions - -For guidance on how to register devices, configure and apply deployment profiles, follow one of the available administration options: -* [Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles) -* [Microsoft Intune](https://docs.microsoft.com/intune/enrollment-autopilot) -* [Microsoft 365 Business & Office 365 Admin](https://support.office.com/article/Create-and-edit-Autopilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa) - -##### Configure company branding for OOBE - -In order for your company branding to appear during the OOBE, you'll need to configure it in Azure Active Directory first. - -See [Add company branding to your directory](https://docs.microsoft.com/azure/active-directory/customize-branding#add-company-branding-to-your-directory), to configure these settings. - -##### Configure MDM auto-enrollment in Microsoft Intune - -In order for your devices to be auto-enrolled into MDM management, MDM auto-enrollment needs to be configured in Azure AD. To do that with Microsoft Intune, please see [Enroll Windows devices for Microsoft Intune](https://docs.microsoft.com/intune/windows-enroll). For other MDM vendors, please consult your vendor for further details. - ->[!NOTE] ->MDM auto-enrollment requires an Azure AD Premium P1 or P2 subscription. - -#### Network connectivity requirements - -The Windows Autopilot Deployment Program uses a number of cloud services to get your devices to a productive state. This means those services need to be accessible from devices registered as Windows Autopilot devices. - -To manage devices behind firewalls and proxy servers, the following URLs need to be accessible: - -* https://go.microsoft.com -* https://login.microsoftonline.com -* https://login.live.com -* https://account.live.com -* https://signup.live.com -* https://licensing.mp.microsoft.com -* https://licensing.md.mp.microsoft.com -* ctldl.windowsupdate.com -* download.windowsupdate.com - ->[!NOTE] ->Where not explicitly specified, both HTTPS (443) and HTTP (80) need to be accessible. - ->[!TIP] ->If you're auto-enrolling your devices into Microsoft Intune, or deploying Microsoft Office, make sure you follow the networking guidelines for [Microsoft Intune](https://docs.microsoft.com/intune/network-bandwidth-use#network-communication-requirements) and [Office 365](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2). - -### IT-Driven - -If you are planning to configure devices with traditional on-premises or cloud-based solutions, the [Windows Configuration Designer](https://www.microsoft.com/store/p/windows-configuration-designer/9nblggh4tx22) can be used to help automate the process. This is more suited to scenarios in which you require a higher level of control over the provisioning process. For more information on creating provisioning packages with Windows Configuration Designer, see [Create a provisioning package for Windows 10](/windows/configuration/provisioning-packages/provisioning-create-package). - - -### Self-Deploying - -Windows Autopilot self-deploying mode offers truly zero touch provisioning. With this mode, all you need to do is power on a device, plug it into Ethernet, and watch Windows Autopilot fully configure the device. No additional user interaction is required. see [Windows Autopilot Self-Deploying mode (Preview)] (/windows/deployment/windows-autopilot/self-deploying). - - -### Teacher-Driven - -If you're an IT pro or a technical staff member at a school, your scenario might be simpler. The [Set Up School PCs](https://www.microsoft.com/store/p/set-up-school-pcs/9nblggh4ls40) app can be used to quickly set up PCs for students and will get you to a productive state faster and simpler. Please see [Use the Set up School PCs app](https://docs.microsoft.com/education/windows/use-set-up-school-pcs-app) for all the details. +## Related topics +[Enroll Windows devices in Intune by using Windows Autopilot](https://docs.microsoft.com/en-us/intune/enrollment-autopilot) \ No newline at end of file diff --git a/windows/privacy/Microsoft-DiagnosticDataViewer.md b/windows/privacy/Microsoft-DiagnosticDataViewer.md index c7c10965fd..f50049e9bc 100644 --- a/windows/privacy/Microsoft-DiagnosticDataViewer.md +++ b/windows/privacy/Microsoft-DiagnosticDataViewer.md @@ -32,14 +32,18 @@ You must have administrative privilege on the device in order to use this PowerS You must install the module before you can use the Diagnostic Data Viewer for PowerShell. +### Opening an Elevated PowerShell session + +Using the Diagnostic Data Viewer for PowerShell requires administrative (elevated) privilege. There are two ways to open an elevated PowerShell prompt. You can use either method. +- Go to **Start** > **Windows PowerShell** > **Run as administrator** +- Go to **Start** > **Command prompt** > **Run as administrator**, and run the command `C:\> powershell.exe` + ### Install the Diagnostic Data Viewer for PowerShell >[!IMPORTANT] >It is recommended to visit the documentation on [Getting Started](https://docs.microsoft.com/en-us/powershell/gallery/getting-started) with PowerShell Gallery. This page provides more specific details on installing a PowerShell module. -To install the newest version of the Diagnostic Data Viewer PowerShell module: -1. From an elevated Command Prompt, start a PowerShell session by running `C:\> powershell.exe`. -2. Install the module by name +To install the newest version of the Diagnostic Data Viewer PowerShell module, run the following command within an elevated PowerShell session: ```powershell PS C:\> Install-Module -Name Microsoft.DiagnosticDataViewer ``` @@ -60,10 +64,7 @@ Note that this setting does not control whether your device sends diagnostic dat **To turn on data viewing through PowerShell** -1. Install the Diagnostic Data Viewer for PowerShell module. -2. Run the Command prompt **as administrator**. -3. Start a PowerShell session by running `C:\> powershell.exe`. -4. Run the following commands in the PowerShell session: +Run the following command within an elevated PowerShell session: ```powershell PS C:\> Enable-DiagnosticDataViewing @@ -74,22 +75,6 @@ Once data viewing is enabled, your Windows machine will begin saving a history o >[!IMPORTANT] >Turning on data viewing can use up to 1GB (default setting) of disk space on your system drive. We recommend that you turn off data viewing when you're done using the Diagnostic Data Viewer. For info about turning off data viewing, see the [Turn off data viewing](#turn-off-data-viewing) section in this article. -### Start the Diagnostic Data Viewer -You must start this app from the **Settings** panel. - -**To start the Diagnostic Data Viewer** -1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**. - -2. Under **Diagnostic data**, select the **Diagnostic Data Viewer** button. - - ![Location to turn on the Diagnostic Data Viewer](images/ddv-settings-launch.png)

    -OR-

    - - Go to **Start** and search for _Diagnostic Data Viewer_. - -3. Close the Diagnostic Data Viewer app, use your device as you normally would for a few days, and then open Diagnostic Data Viewer again to review the updated list of diagnostic data. - - >[!IMPORTANT] - >Turning on data viewing can use up to 1GB of disk space on your system drive. We strongly recommend that your turn off data viewing when you're done using the Diagnostic Data Viewer. For info about turning off data viewing, see the [Turn off data viewing](#turn-off-data-viewing) section in this article. ### Getting Started with Diagnostic Data Viewer for PowerShell To see how to use the cmdlet, the parameters it accepts, and examples, run the following command from an elevated PowerShell session: @@ -149,9 +134,7 @@ When you're done reviewing your diagnostic data, we recommend turning off data v **To turn off data viewing through PowerShell** -1. Run the Command prompt **as administrator**. -2. Start a PowerShell session by running `C:\> powershell.exe`. -3. Run the following commands in the PowerShell session: +Within an elevated PowerShell session, run the following command: ```powershell PS C:\> Disable-DiagnosticDataViewing diff --git a/windows/privacy/TOC.md b/windows/privacy/TOC.md index d581476641..35561d07af 100644 --- a/windows/privacy/TOC.md +++ b/windows/privacy/TOC.md @@ -22,4 +22,5 @@ ### [Connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md) ### [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md) ### [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md) +### [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md) ## [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index 01f681caf7..79ef8ac888 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -9,7 +9,7 @@ ms.pagetype: security localizationpriority: high author: brianlic-msft ms.author: brianlic -ms.date: 12/13/2018 +ms.date: 12/27/2018 --- @@ -20,7 +20,7 @@ ms.date: 12/13/2018 - Windows 10, version 1703 -The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Windows Store. When the level is set to Basic, it also includes the Security level information. +The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store. When the level is set to Basic, it also includes the Security level information. The Basic level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems. @@ -1810,47 +1810,46 @@ This event sends data about boot IDs for which a normal clean shutdown was not o The following fields are available: - **AbnormalShutdownBootId** Retrieves the Boot ID for which the abnormal shutdown was observed. -- **CrashDumpEnabled** OS configuration of the type of crash dump enabled; 0 = not enabled -- **CumulativeCrashCount** Cumulative count of OS crashes since the BootId reset -- **CurrentBootId** Retrieves the current boot ID. +- **CrashDumpEnabled** Indicates whether crash dumps are enabled. +- **CumulativeCrashCount** Cumulative count of operating system crashes since the BootId reset. +- **CurrentBootId** BootId at the time the abnormal shutdown event was being reported. - **FirmwareResetReasonEmbeddedController** Firmware-supplied reason for the reset. - **FirmwareResetReasonEmbeddedControllerAdditional** Additional data related to the reset reason provided by the firmware. - **FirmwareResetReasonPch** Hardware-supplied reason for the reset. - **FirmwareResetReasonPchAdditional** Additional data related to the reset reason provided by the hardware. - **FirmwareResetReasonSupplied** Indicates whether the firmware supplied any reset reason. -- **FirmwareType** ID of the FirmwareType as enumerated in DimFirmwareType +- **FirmwareType** ID of the FirmwareType as enumerated in DimFirmwareType. - **HardwareWatchdogTimerGeneratedLastReset** Indicates whether the hardware watchdog timer caused the last reset. - **HardwareWatchdogTimerPresent** Indicates whether hardware watchdog timer was present or not. -- **LastBugCheckBootId** "bootId of the captured Last Bug Check""; important to match AbnormalShutdownBootId for analysis or the Last Bug Check info in the event does not correlate with the rest of the information""""ootId of the captured ""Last Bug Check""; important to match AbnormalShutdownBootId for analysis or the Last Bug Check info in the event does not correlate with the """"otId of the captured ""Last Bug Check""; important to match AbnormalShutdownBootId for analysis or the Last Bug Check info in the event does n""""tId of the captured ""Last Bug Check""; important to match AbnormalShutdownBootId for analysis or the Last Bug Check inf""""Id of the captured ""Last Bug Check""; important to match AbnormalShutdownBootId for analysis or th""""d of the captured ""Last Bug Check""; important to match AbnormalShutdownBootId"""" of the captured ""Last Bug Check""; important to match Abno""""of the captured ""Last Bug Check""; import""""f the captured ""Last Bu"""" the ca""" -- **LastBugCheckCode** Bug Check code indicating the type of error; LastBugCheck data is only available on UEFI-enabled systems (as indicated by FirmwareTypeId == 2) because it is saved in an EFI variable; LastBugCheck data is only available if crashdumping is enabled (as indicated by CrashDumpEnabled > 0) -- **LastBugCheckContextFlags** Additional crashdump settings; LastBugCheck data is only available on UEFI-enabled systems (as indicated by FirmwareTypeId == 2) because it is saved in an EFI variable; LastBugCheck data is only available if crashdumping is enabled (as indicated by CrashDumpEnabled > 0) -- **LastBugCheckOriginalDumpType** Type of crashdump the system intended to save; LastBugCheck data is only available on UEFI-enabled systems (as indicated by FirmwareTypeId == 2) because it is saved in an EFI variable; LastBugCheck data is only available if crashdumping is enabled (as indicated by CrashDumpEnabled > 0) -- **LastBugCheckOtherSettings** Other crashdump settings; LastBugCheck data is only available on UEFI-enabled systems (as indicated by FirmwareTypeId == 2) because it is saved in an EFI variable; LastBugCheck data is only available if crashdumping is enabled (as indicated by CrashDumpEnabled > 0) -- **LastBugCheckParameter1** First Bug Check parameter with additional info on the type of the error; LastBugCheck data is only available on UEFI-enabled systems (as indicated by FirmwareTypeId == 2) because it is saved in an EFI variable; LastBugCheck data is only available if crashdumping is enabled (as indicated by CrashDumpEnabled > 0) -- **LastBugCheckProgress** Progress towards writing out the last crashdump; non-zero value indicates an attempt; LastBugCheck data is only available on UEFI-enabled systems (as indicated by FirmwareTypeId == 2) because it is saved in an EFI variable; LastBugCheck data is only available if crashdumping is enabled (as indicated by CrashDumpEnabled .> 0) -- **LastSuccessfullyShutdownBootId** Retrieves the last successfully/cleanly shutdown boot ID. -- **PowerButtonCumulativePressCount** "Number of times the Power Button was detected to have been pressed (pressed" not to be confused with "released") for the BootId specified in PowerButtonLastPressBootId""umber of times the Power Button was detected to have been pressed ("pressed" not to be confused wit""mber of times the Power Button """umber of times the Power Button was detected to have been pressed (pressed" not to be confused with "released") for the BootId specified in PowerButtonLastPressBootId""umber of times the Power Button was detected to have been ""mber of times the Power Button was detected to have been pressed (pressed" not to be confused with "released") for the BootId specified in PowerButtonL""ber of times the Power Button was detected to have been pressed (pressed" not""er o" -- **PowerButtonCumulativeReleaseCount** "Number of times the Power Button was detected to have been released (released" not to be confused with "pressed") for the BootId specified in PowerButtonLastReleaseBootId""umber of times the Power Button was detected to have been released ("released" not to be confused wit""mber of times the Power Button w"""umber of times the Power Button was detected to have been released (released" not to be confused with "pressed") for the BootId specified in PowerButtonLastReleaseBootId""umber of times the Power Button was detected to have been r""mber of times the Power Button was detected to have been released (released" not to be confused with "pressed") for the BootId specified in PowerButtonLa""ber of times the Power Button was detected to have been released (released" n""er" -- **PowerButtonErrorCount** Indicates the number of times there was an error attempting to record Power Button metrics (e.g. due to a failure to lock/update the bootstat file) -- **PowerButtonLastPressBootId** "BootId of the last time the Power Button was detected to have been pressed (pressed" not to be confused with "released")""ootId of the last time the Power Button was """ootId of the last time the Power Button was detected to have been pressed (pressed"""" -- **PowerButtonLastPressTime** "Date/time of the last time the Power Button was detected to have been pressed (pressed" not to be confused with "released")""ate/time of the last time the Power Button w"""ate/time of the last time the Power Button was detected to have been pressed (press" -- **PowerButtonLastReleaseBootId** "BootId of the last time the Power Button was detected to have been released (released" not to be confused with "pressed")""ootId of the last time the Power Button was """ootId of the last time the Power Button was detected to have been released (releas" -- **PowerButtonLastReleaseTime** "Date/time of the last time the Power Button was detected to have been released (released" not to be confused with "pressed")""ate/time of the last time the Power Button w"""ate/time of the last time the Power Button was detected to have been released (rel" +- **LastBugCheckBootId** The Boot ID of the last captured crash. +- **LastBugCheckCode** Code that indicates the type of error. +- **LastBugCheckContextFlags** Additional crash dump settings. +- **LastBugCheckOriginalDumpType** The type of crash dump the system intended to save. +- **LastBugCheckOtherSettings** Other crash dump settings. +- **LastBugCheckParameter1** The first parameter with additional info on the type of the error. +- **LastSuccessfullyShutdownBootId** The Boot ID of the last fully successful shutdown. +- **PowerButtonCumulativePressCount** Indicates the number of times the power button has been pressed ("pressed" not to be confused with "released"). +- **PowerButtonCumulativeReleaseCount** Indicates the number of times the power button has been released ("released" not to be confused with "pressed"). +- **PowerButtonErrorCount** Indicates the number of times there was an error attempting to record Power Button metrics (e.g.: due to a failure to lock/update the bootstat file). +- **PowerButtonLastPressBootId** The Boot ID of the last time the Power Button was detected to have been pressed ("pressed" not to be confused with "released"). +- **PowerButtonLastPressTime** The date and time the Power Button was most recently pressed ("pressed" not to be confused with "released"). +- **PowerButtonLastReleaseBootId** The Boot ID of the last time the Power Button was released ("released" not to be confused with "pressed"). +- **PowerButtonLastReleaseTime** The date and time the Power Button was most recently released ("released" not to be confused with "pressed"). - **PowerButtonPressCurrentCsPhase** Represents the phase of Connected Standby exit when the power button was pressed. -- **PowerButtonPressIsShutdownInProgress** Indicates whether a system shutdown was in progress at the last time the Power Button was pressed -- **PowerButtonPressLastPowerWatchdogStage** Progress while monitor/display is being turned on; ranges from 0 (no progress) to 0x50 (completion); if PowerButtonPressPowerWatchdogArmed == TRUE (armed), the value represents the current stage whereas if PowerButtonPressPowerWatchdogArmed == FALSE (not armed),the value represents the last completed stage at the time of the last Power Button press, -- **PowerButtonPressPowerWatchdogArmed** Inidicates whether or not the watchdog for the monitor/display was active at the time of the last Power Button press -- **TransitionInfoBootId** "BootId of the captured Transition Info""; important to match AbnormalShutdownBootId for analysis or the Transition Info in the event does not correlate with the rest of the information""""ootId of the captured ""Transition Info""; important to match AbnormalShutdownBootId for analysis or the Transition Info in the event does not correlate with the """"otId of the captured ""Transition Info""; important to match AbnormalShutdownBootId for analysis or the Transition Info in the event does n""""tId of the captured ""Transition Info""; important to match AbnormalShutdownBootId for analysis or the Transition Inf""""Id of the captured ""Transition Info""; important to match AbnormalShutdownBootId for analysis o""""d of the captured ""Transition Info""; important to match AbnormalShutdownBo"""" of the captured ""Transition Info""; important to match """"of the captured ""Transition Info""; im""""f the captured ""Tran"""" the""" -- **TransitionInfoCSCount** "Total number of times the system transitioned from Connected Standby mode to on" at the time the last marker was saved""otal number of times the system transitio"""otal number of times the system transitioned from Connected Standby mode to on" at""tal" -- **TransitionInfoCSEntryReason** Indicates the reason the device last entered Connected Standby mode -- **TransitionInfoCSExitReason** Indicates the reason the device last exited Connected Standby mode -- **TransitionInfoCSInProgress** At the time the last marker was saved,the system was in or entering Connected Standby mode -- **TransitionInfoLastReferenceTimeChecksum** Checksum of TransitionInfoLastReferenceTimestamp -- **TransitionInfoLastReferenceTimestamp** Date/time the marker was last saved -- **TransitionInfoPowerButtonTimestamp** Date/time of the last time the Power Button was detected to have been pressed (collected via a different mechanism than PowerButtonLastPressTime) -- **TransitionInfoSleepInProgress** At the time the last marker was saved,the system was in or entering Sleep mode -- **TransitionInfoSleepTranstionsToOn** "Total number of times the system transitioned from Sleep mode to on" at the time the last marker was saved""otal number of times the system transitio"""otal number of times the system transitioned from Sleep mode to on" at the time th""tal number of t" -- **TransitionInfoSystemRunning** At the time the last marker was saved,the system was running +- **PowerButtonPressIsShutdownInProgress** Indicates whether a system shutdown was in progress at the last time the Power Button was pressed. +- **PowerButtonPressLastPowerWatchdogStage** The last stage completed when the Power Button was most recently pressed. +- **PowerButtonPressPowerWatchdogArmed** Indicates whether or not the watchdog for the monitor was active at the time of the last power button press. +- **TransitionInfoBootId** The Boot ID of the captured transition information. +- **TransitionInfoCSCount** The total number of times the system transitioned from "Connected Standby" mode to "On" when the last marker was saved. +- **TransitionInfoCSEntryReason** Indicates the reason the device last entered "Connected Standby" mode ("entered" not to be confused with "exited"). +- **TransitionInfoCSExitReason** Indicates the reason the device last exited "Connected Standby" mode ("exited" not to be confused with "entered"). +- **TransitionInfoCSInProgress** Indicates whether the system was in or entering Connected Standby mode when the last marker was saved. +- **TransitionInfoLastReferenceTimeChecksum** The checksum of TransitionInfoLastReferenceTimestamp. +- **TransitionInfoLastReferenceTimestamp** The date and time that the marker was last saved. +- **TransitionInfoPowerButtonTimestamp** The most recent date and time when the Power Button was pressed (collected via a different mechanism than PowerButtonLastPressTime). +- **TransitionInfoSleepInProgress** Indicates whether the system was in or entering Sleep mode when the last marker was saved. +- **TransitionInfoSleepTranstionsToOn** The total number of times the system transitioned from Sleep mode to on, when the last marker was saved. +- **TransitionInfoSystemRunning** Indicates whether the system was running when the last marker was saved. - **TransitionInfoSystemShutdownInProgress** Indicates whether a device shutdown was in progress when the power button was pressed. - **TransitionInfoUserShutdownInProgress** Indicates whether a user shutdown was in progress when the power button was pressed. - **TransitionLatestCheckpointId** Represents a unique identifier for a checkpoint during the device state transition. @@ -3008,8 +3007,8 @@ The following fields are available: - **ServiceHealthPlugin** The nae of the Service Health plug-in. - **StartComponentCleanupTask** TRUE if the Component Cleanup task started successfully. - **TotalSizeofOrphanedInstallerFilesInMegabytes** The size of any orphaned Windows Installer files, measured in Megabytes. -- **TotalSizeofStoreCacheAfterCleanupInMegabytes** The size of the Windows Store cache after cleanup, measured in Megabytes. -- **TotalSizeofStoreCacheBeforeCleanupInMegabytes** The size of the Windows Store cache (prior to cleanup), measured in Megabytes. +- **TotalSizeofStoreCacheAfterCleanupInMegabytes** The size of the Microsoft Store cache after cleanup, measured in Megabytes. +- **TotalSizeofStoreCacheBeforeCleanupInMegabytes** The size of the Microsoft Store cache (prior to cleanup), measured in Megabytes. - **usoScanDaysSinceLastScan** The number of days since the last USO (Update Session Orchestrator) scan. - **usoScanInProgress** TRUE if a USO (Update Session Orchestrator) scan is in progress, to prevent multiple simultaneous scans. - **usoScanIsAllowAutoUpdateKeyPresent** TRUE if the AllowAutoUpdate registry key is set. @@ -3927,7 +3926,7 @@ The following fields are available: - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one - **ScanDurationInSeconds** The number of seconds a scan took - **ScanEnqueueTime** The number of seconds it took to initialize a scan -- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Windows Store, etc.). +- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.). - **ServiceUrl** The environment URL a device is configured to scan with - **ShippingMobileOperator** The mobile operator that a device shipped on. - **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult). @@ -3963,7 +3962,7 @@ The following fields are available: - **FlightId** The specific id of the flight the device is getting - **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.) - **RevisionNumber** Unique revision number of Update -- **ServerId** Identifier for the service to which the software distribution client is connecting, such as Windows Update and Windows Store. +- **ServerId** Identifier for the service to which the software distribution client is connecting, such as Windows Update and Microsoft Store. - **SystemBIOSMajorRelease** Major version of the BIOS. - **SystemBIOSMinorRelease** Minor version of the BIOS. - **UpdateId** Unique Update ID @@ -4165,7 +4164,7 @@ The following fields are available: - **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to install. - **RepeatSuccessInstallFlag** Indicates whether this specific piece of content had previously installed successful, for example if another user had already installed it. - **RevisionNumber** The revision number of this specific piece of content. -- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.). +- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.). - **Setup360Phase** If the install is for an operating system upgrade, indicates which phase of the upgrade is underway. - **ShippingMobileOperator** The mobile operator that a device shipped on. - **StatusCode** Indicates the result of an installation event (success, cancellation, failure code HResult). @@ -4209,7 +4208,7 @@ The following fields are available: - **IntentPFNs** Intended application-set metadata for atomic update scenarios. - **NumberOfApplicableUpdates** The number of updates ultimately deemed applicable to the system after the detection process is complete. - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one. -- **ServiceGuid** An ID that represents which service the software distribution client is connecting to (Windows Update, Windows Store, etc.). +- **ServiceGuid** An ID that represents which service the software distribution client is connecting to (Windows Update, Microsoft Store, etc.). - **WUDeviceID** The unique device ID controlled by the software distribution client. @@ -4866,11 +4865,11 @@ The following fields are available: - **RebootReason** Reason for the reboot. -## Windows Store events +## Microsoft Store events ### Microsoft.Windows.Store.Partner.ReportApplication -Report application event for Windows Store client. +Report application event for Microsoft Store client. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index bd9b834375..63376e03ed 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -20,7 +20,7 @@ ms.date: 12/13/2018 - Windows 10, version 1709 -The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Windows Store. When the level is set to Basic, it also includes the Security level information. +The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store. When the level is set to Basic, it also includes the Security level information. The Basic level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems. @@ -3185,8 +3185,8 @@ The following fields are available: - **systemDriveFreeDiskSpace** Indicates the free disk space on system drive in MBs. - **systemUptimeInHours** Indicates the amount of time the system in hours has been on since the last boot. - **TotalSizeofOrphanedInstallerFilesInMegabytes** The size of any orphaned Windows Installer files, measured in Megabytes. -- **TotalSizeofStoreCacheAfterCleanupInMegabytes** The size of the Windows Store cache after cleanup, measured in Megabytes. -- **TotalSizeofStoreCacheBeforeCleanupInMegabytes** The size of the Windows Store cache (prior to cleanup), measured in Megabytes. +- **TotalSizeofStoreCacheAfterCleanupInMegabytes** The size of the Microsoft Store cache after cleanup, measured in Megabytes. +- **TotalSizeofStoreCacheBeforeCleanupInMegabytes** The size of the Microsoft Store cache (prior to cleanup), measured in Megabytes. - **uninstallActive** TRUE if previous uninstall has occurred for current OS - **usoScanDaysSinceLastScan** The number of days since the last USO (Update Session Orchestrator) scan. - **usoScanInProgress** TRUE if a USO (Update Session Orchestrator) scan is in progress, to prevent multiple simultaneous scans. @@ -3642,7 +3642,7 @@ The following fields are available: - **EventInstanceID** A unique identifier for event instance. - **EventScenario** Indicates the purpose of sending this event – whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. - **HandlerReasons** If an action has been assessed as inapplicable, the installer technology-specific logic prevented it. -- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Windows Store, etc.) +- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Microsoft Store, etc.) - **StandardReasons** If an action has been assessed as inapplicable, the standard logic the prevented it. - **StatusCode** Result code of the event (success, cancellation, failure code HResult). - **UpdateID** A unique identifier for the action being acted upon. @@ -3659,7 +3659,7 @@ The following fields are available: - **EventInstanceID** A unique identifier for event instance. - **EventScenario** Indicates the purpose of sending this event, whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. - **RebootRequired** Indicates if a reboot was required to complete the action. -- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Windows Store, etc.). +- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Microsoft Store, etc.). - **StatusCode** Result code of the event (success, cancellation, failure code HResult). - **UpdateID** A unique identifier for the action being acted upon. - **WUDeviceID** The unique identifier controlled by the software distribution client. @@ -3674,7 +3674,7 @@ The following fields are available: - **CachedEngineVersion** The engine DLL version that is being used. - **EventInstanceID** A unique identifier for event instance. - **EventScenario** Indicates the purpose of sending this event, whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. -- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Windows Store, etc.). +- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Microsoft Store, etc.). - **StatusCode** Result code of the event (success, cancellation, failure code HResult). - **UpdateID** A unique identifier for the action being acted upon. - **WUDeviceID** The unique identifier controlled by the software distribution client. @@ -3690,7 +3690,7 @@ The following fields are available: - **EventInstanceID** A unique identifier for event instance. - **EventScenario** Indicates the purpose of sending this event, whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. - **Service** The service that is being stopped/started. -- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Windows Store, etc.). +- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Microsoft Store, etc.). - **StateChange** The service operation (stop/start) is being attempted. - **StatusCode** Result code of the event (success, cancellation, failure code HResult). - **UpdateID** A unique identifier for the action being acted upon. @@ -3708,7 +3708,7 @@ The following fields are available: - **EventScenario** Indicates the purpose of sending this event – whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. - **FailedParseActions** The list of actions that were not successfully parsed. - **ParsedActions** The list of actions that were successfully parsed. -- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Windows Store, etc.) +- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Microsoft Store, etc.) - **WUDeviceID** The unique identifier controlled by the software distribution client. @@ -3784,7 +3784,7 @@ The following fields are available: - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one - **ScanDurationInSeconds** The number of seconds a scan took - **ScanEnqueueTime** The number of seconds it took to initialize a scan -- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Windows Store, etc.). +- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.). - **ServiceUrl** The environment URL a device is configured to scan with - **ShippingMobileOperator** The mobile operator that a device shipped on. - **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult). @@ -3854,7 +3854,7 @@ The following fields are available: - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one. - **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to download. - **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** An ID that represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.). +- **ServiceGuid** An ID that represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.). - **Setup360Phase** If the download is for an operating system upgrade, this datapoint indicates which phase of the upgrade is underway. - **ShippingMobileOperator** The mobile operator that a device shipped on. - **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult). @@ -3920,7 +3920,7 @@ The following fields are available: - **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one - **ResumeCount** Number of times this active download has resumed from a suspended state - **RevisionNumber** Identifies the revision number of this specific piece of content -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc) +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc) - **ServiceID** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc) - **SuspendCount** Number of times this active download has entered a suspended state - **SuspendReason** Last reason for why this active download entered a suspended state @@ -3980,7 +3980,7 @@ The following fields are available: - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one - **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to install. - **RevisionNumber** The revision number of this specific piece of content. -- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.). +- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.). - **Setup360Phase** If the install is for an operating system upgrade, indicates which phase of the upgrade is underway. - **ShippingMobileOperator** The mobile operator that a device shipped on. - **StatusCode** Indicates the result of an installation event (success, cancellation, failure code HResult). @@ -4007,7 +4007,7 @@ The following fields are available: - **IntentPFNs** Intended application-set metadata for atomic update scenarios. - **NumberOfApplicableUpdates** The number of updates ultimately deemed applicable to the system after the detection process is complete. - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one. -- **ServiceGuid** An ID that represents which service the software distribution client is connecting to (Windows Update, Windows Store, etc.). +- **ServiceGuid** An ID that represents which service the software distribution client is connecting to (Windows Update, Microsoft Store, etc.). - **WUDeviceID** The unique device ID controlled by the software distribution client. @@ -4028,7 +4028,7 @@ The following fields are available: - **RawValidityWindowInDays** The raw unparsed validity window string in days of the timestamp token. This field is null if not applicable. - **RevisionId** The revision ID for a specific piece of content. - **RevisionNumber** The revision number for a specific piece of content. -- **ServiceGuid** Identifies the service to which the software distribution client is connected, Example: Windows Update or Windows Store +- **ServiceGuid** Identifies the service to which the software distribution client is connected, Example: Windows Update or Microsoft Store - **SHA256OfLeafCerData** A base64 encoding of the hash for the Base64CerData in the FragmentSigning data of the leaf certificate. - **SHA256OfLeafCertPublicKey** A base64 encoding of the hash of the Base64CertData in the FragmentSigning data of the leaf certificate. - **SHA256OfTimestampToken** A base64-encoded string of hash of the timestamp token blob. @@ -4941,11 +4941,11 @@ The following fields are available: - **ReportId** WER Report Id associated with this bug check (used for finding the corresponding report archive in Watson). -## Windows Store events +## Microsoft Store events ### Microsoft.Windows.Store.Partner.ReportApplication -Report application event for Windows Store client. +Report application event for Microsoft Store client. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index af938824ba..c8a8b09e66 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -20,7 +20,7 @@ ms.date: 12/13/2018 - Windows 10, version 1803 -The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Windows Store. When the level is set to Basic, it also includes the Security level information. +The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store. When the level is set to Basic, it also includes the Security level information. The Basic level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems. @@ -4148,8 +4148,8 @@ The following fields are available: - **systemDriveFreeDiskSpace** Indicates the free disk space on system drive in MBs. - **systemUptimeInHours** Indicates the amount of time the system in hours has been on since the last boot. - **TotalSizeofOrphanedInstallerFilesInMegabytes** The size of any orphaned Windows Installer files, measured in Megabytes. -- **TotalSizeofStoreCacheAfterCleanupInMegabytes** The size of the Windows Store cache after cleanup, measured in Megabytes. -- **TotalSizeofStoreCacheBeforeCleanupInMegabytes** The size of the Windows Store cache (prior to cleanup), measured in Megabytes. +- **TotalSizeofStoreCacheAfterCleanupInMegabytes** The size of the Microsoft Store cache after cleanup, measured in Megabytes. +- **TotalSizeofStoreCacheBeforeCleanupInMegabytes** The size of the Microsoft Store cache (prior to cleanup), measured in Megabytes. - **uninstallActive** TRUE if previous uninstall has occurred for current OS - **usoScanDaysSinceLastScan** The number of days since the last USO (Update Session Orchestrator) scan. - **usoScanInProgress** TRUE if a USO (Update Session Orchestrator) scan is in progress, to prevent multiple simultaneous scans. @@ -4493,7 +4493,7 @@ The following fields are available: - **EventScenario** Indicates the purpose of sending this event – whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. - **HandlerReasons** If an action has been assessed as inapplicable, the installer technology-specific logic prevented it. - **IsExecutingAction** If the action is presently being executed. -- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Windows Store, etc.) +- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Microsoft Store, etc.) - **SihclientVersion** The client version that is being used. - **StandardReasons** If an action has been assessed as inapplicable, the standard logic the prevented it. - **StatusCode** Result code of the event (success, cancellation, failure code HResult). @@ -4515,7 +4515,7 @@ The following fields are available: - **EventScenario** Indicates the purpose of sending this event – whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. - **FailedParseActions** The list of actions that were not successfully parsed. - **ParsedActions** The list of actions that were successfully parsed. -- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Windows Store, etc.) +- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Microsoft Store, etc.) - **SihclientVersion** The client version that is being used. - **WuapiVersion** The Windows Update API version that is currently installed. - **WuaucltVersion** The Windows Update client version that is currently installed. @@ -4595,7 +4595,7 @@ The following fields are available: - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one - **ScanDurationInSeconds** The number of seconds a scan took - **ScanEnqueueTime** The number of seconds it took to initialize a scan -- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Windows Store, etc.). +- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.). - **ServiceUrl** The environment URL a device is configured to scan with - **ShippingMobileOperator** The mobile operator that a device shipped on. - **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult). @@ -4631,7 +4631,7 @@ The following fields are available: - **FlightId** The specific id of the flight the device is getting - **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.) - **RevisionNumber** Identifies the revision number of this specific piece of content -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc) +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc) - **SystemBIOSMajorRelease** Major release version of the system bios - **SystemBIOSMinorRelease** Minor release version of the system bios - **UpdateId** Identifier associated with the specific piece of content @@ -4694,7 +4694,7 @@ The following fields are available: - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one. - **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to download. - **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** An ID that represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.). +- **ServiceGuid** An ID that represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.). - **Setup360Phase** If the download is for an operating system upgrade, this datapoint indicates which phase of the upgrade is underway. - **ShippingMobileOperator** The mobile operator that a device shipped on. - **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult). @@ -4815,7 +4815,7 @@ The following fields are available: - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one - **RepeatFailFlag** Indicates whether this specific piece of content previously failed to install. - **RevisionNumber** The revision number of this specific piece of content. -- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.). +- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.). - **Setup360Phase** If the install is for an operating system upgrade, indicates which phase of the upgrade is underway. - **ShippingMobileOperator** The mobile operator that a device shipped on. - **StatusCode** Indicates the result of an installation event (success, cancellation, failure code HResult). @@ -4841,7 +4841,7 @@ The following fields are available: - **IntentPFNs** Intended application-set metadata for atomic update scenarios. - **NumberOfApplicableUpdates** The number of updates ultimately deemed applicable to the system after the detection process is complete. - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one. -- **ServiceGuid** An ID that represents which service the software distribution client is connecting to (Windows Update, Windows Store, etc.). +- **ServiceGuid** An ID that represents which service the software distribution client is connecting to (Windows Update, Microsoft Store, etc.). - **WUDeviceID** The unique device ID controlled by the software distribution client. @@ -4863,7 +4863,7 @@ The following fields are available: - **RawValidityWindowInDays** The raw unparsed validity window string in days of the timestamp token. This field is null if not applicable. - **RevisionId** The revision ID for a specific piece of content. - **RevisionNumber** The revision number for a specific piece of content. -- **ServiceGuid** Identifies the service to which the software distribution client is connected, Example: Windows Update or Windows Store +- **ServiceGuid** Identifies the service to which the software distribution client is connected, Example: Windows Update or Microsoft Store - **SHA256OfLeafCerData** A base64 encoding of the hash for the Base64CerData in the FragmentSigning data of the leaf certificate. - **SHA256OfLeafCertPublicKey** A base64 encoding of the hash of the Base64CertData in the FragmentSigning data of the leaf certificate. - **SHA256OfTimestampToken** A base64-encoded string of hash of the timestamp token blob. @@ -5675,7 +5675,7 @@ The following fields are available: - **PertProb** Constant used in algorithm for randomization. -## Windows Store events +## Microsoft Store events ### Microsoft.Windows.Store.StoreActivating diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index 0d1c11c6b4..639c8005ed 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -20,7 +20,7 @@ ms.date: 12/13/2018 - Windows 10, version 1809 -The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Windows Store. When the level is set to Basic, it also includes the Security level information. +The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store. When the level is set to Basic, it also includes the Security level information. The Basic level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems. @@ -4631,7 +4631,7 @@ The following fields are available: - **ScanDurationInSeconds** The number of seconds a scan took - **ScanEnqueueTime** The number of seconds it took to initialize a scan - **ScanProps** This is a 32-bit integer containing Boolean properties for a given Windows Update scan. The following bits are used; all remaining bits are reserved and set to zero. Bit 0 (0x1): IsInteractive - is set to 1 if the scan is requested by a user, or 0 if the scan is requested by Automatic Updates. Bit 1 (0x2): IsSeeker - is set to 1 if the Windows Update client's Seeker functionality is enabled. Seeker functionality is enabled on certain interactive scans, and results in the scans returning certain updates that are in the initial stages of release (not yet released for full adoption via Automatic Updates). -- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Windows Store, etc.). +- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.). - **ServiceUrl** The environment URL a device is configured to scan with - **ShippingMobileOperator** The mobile operator that a device shipped on. - **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult). @@ -4667,7 +4667,7 @@ The following fields are available: - **FlightId** The specific id of the flight the device is getting - **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.) - **RevisionNumber** Identifies the revision number of this specific piece of content -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc) +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc) - **SystemBIOSMajorRelease** Major release version of the system bios - **SystemBIOSMinorRelease** Minor release version of the system bios - **UpdateId** Identifier associated with the specific piece of content @@ -4743,7 +4743,7 @@ The following fields are available: - **RepeatFailCount** Indicates whether this specific piece of content has previously failed. - **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to download. - **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** An ID that represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.). +- **ServiceGuid** An ID that represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.). - **Setup360Phase** If the download is for an operating system upgrade, this datapoint indicates which phase of the upgrade is underway. - **ShippingMobileOperator** The mobile operator that a device shipped on. - **SizeCalcTime** Time taken (in seconds) to calculate the total download size of the payload. @@ -4873,7 +4873,7 @@ The following fields are available: - **RepeatFailCount** Indicates whether this specific piece of content has previously failed. - **RepeatFailFlag** Indicates whether this specific piece of content previously failed to install. - **RevisionNumber** The revision number of this specific piece of content. -- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.). +- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.). - **Setup360Phase** If the install is for an operating system upgrade, indicates which phase of the upgrade is underway. - **ShippingMobileOperator** The mobile operator that a device shipped on. - **StatusCode** Indicates the result of an installation event (success, cancellation, failure code HResult). @@ -4924,7 +4924,7 @@ The following fields are available: - **RelatedCV** The previous correlation vector that was used by the client before swapping with a new one. - **RepeatFailCount** Indicates whether this specific piece of content has previously failed. - **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc.). - **StatusCode** Result code of the event (success, cancellation, failure code HResult). - **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. - **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. @@ -4945,7 +4945,7 @@ The following fields are available: - **CmdLineArgs** Command line arguments passed in by the caller. - **EventInstanceID** A globally unique identifier for the event instance. - **EventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.). -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc.). - **StatusCode** Result code of the event (success, cancellation, failure code HResult). - **WUDeviceID** Unique device ID controlled by the software distribution client. @@ -4984,7 +4984,7 @@ The following fields are available: - **RelatedCV** The previous correlation vector that was used by the client before swapping with a new one. - **RepeatFailCount** Indicates whether this specific piece of content previously failed. - **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc.). - **StatusCode** Result code of the event (success, cancellation, failure code HResult). - **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. - **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. @@ -5005,7 +5005,7 @@ The following fields are available: - **IntentPFNs** Intended application-set metadata for atomic update scenarios. - **NumberOfApplicableUpdates** The number of updates ultimately deemed applicable to the system after the detection process is complete. - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one. -- **ServiceGuid** An ID that represents which service the software distribution client is connecting to (Windows Update, Windows Store, etc.). +- **ServiceGuid** An ID that represents which service the software distribution client is connecting to (Windows Update, Microsoft Store, etc.). - **WUDeviceID** The unique device ID controlled by the software distribution client. @@ -5027,7 +5027,7 @@ The following fields are available: - **RawValidityWindowInDays** The raw unparsed validity window string in days of the timestamp token. This field is null if not applicable. - **RevisionId** The revision ID for a specific piece of content. - **RevisionNumber** The revision number for a specific piece of content. -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc) +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc) - **SHA256OfLeafCerData** A base64 encoding of the hash for the Base64CerData in the FragmentSigning data of the leaf certificate. - **SHA256OfLeafCertPublicKey** A base64 encoding of the hash of the Base64CertData in the FragmentSigning data of the leaf certificate. - **SHA256OfTimestampToken** Base64 string of hash of the timestamp token blob @@ -5754,7 +5754,7 @@ The following fields are available: - **PertProb** The probability the entry will be Perturbed if the algorithm chosen is “heavy-hitters”. -## Windows Store events +## Microsoft Store events ### Microsoft.Windows.Store.StoreActivating diff --git a/windows/privacy/docfx.json b/windows/privacy/docfx.json index 801539efd6..98296c6b76 100644 --- a/windows/privacy/docfx.json +++ b/windows/privacy/docfx.json @@ -36,8 +36,6 @@ "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", "ms.technology": "windows", "ms.topic": "article", - "ms.author": "daniha", - "ms.date": "05/10/2018", "feedback_system": "GitHub", "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app" diff --git a/windows/privacy/manage-windows-1709-endpoints.md b/windows/privacy/manage-windows-1709-endpoints.md index 92c2dfc96e..2e754c9ad3 100644 --- a/windows/privacy/manage-windows-1709-endpoints.md +++ b/windows/privacy/manage-windows-1709-endpoints.md @@ -34,7 +34,8 @@ We used the following methodology to derive these network endpoints: 2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device). 3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. 4. Compile reports on traffic going to public IP addresses. -5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. +5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. +6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here. > [!NOTE] > Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. diff --git a/windows/privacy/manage-windows-1803-endpoints.md b/windows/privacy/manage-windows-1803-endpoints.md index 5cbbfcd3d1..f508978478 100644 --- a/windows/privacy/manage-windows-1803-endpoints.md +++ b/windows/privacy/manage-windows-1803-endpoints.md @@ -34,7 +34,8 @@ We used the following methodology to derive these network endpoints: 2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device). 3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. 4. Compile reports on traffic going to public IP addresses. -5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. +5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. +6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here. > [!NOTE] > Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. diff --git a/windows/privacy/manage-windows-1809-endpoints.md b/windows/privacy/manage-windows-1809-endpoints.md index dd3a50a2fe..54dc118d49 100644 --- a/windows/privacy/manage-windows-1809-endpoints.md +++ b/windows/privacy/manage-windows-1809-endpoints.md @@ -34,7 +34,8 @@ We used the following methodology to derive these network endpoints: 2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device). 3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. 4. Compile reports on traffic going to public IP addresses. -5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. +5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. +6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here. > [!NOTE] > Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. diff --git a/windows/privacy/windows-endpoints-1709-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1709-non-enterprise-editions.md index 72a79162f0..89c04ebc76 100644 --- a/windows/privacy/windows-endpoints-1709-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-1709-non-enterprise-editions.md @@ -26,7 +26,8 @@ We used the following methodology to derive these network endpoints: 2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device). 3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. 4. Compile reports on traffic going to public IP addresses. -5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. +5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. +6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here. > [!NOTE] > Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. diff --git a/windows/privacy/windows-endpoints-1803-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1803-non-enterprise-editions.md index ea2c517a4f..39343b19d9 100644 --- a/windows/privacy/windows-endpoints-1803-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-1803-non-enterprise-editions.md @@ -26,7 +26,8 @@ We used the following methodology to derive these network endpoints: 2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device). 3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. 4. Compile reports on traffic going to public IP addresses. -5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. +5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. +6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here. > [!NOTE] > Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. @@ -48,13 +49,14 @@ We used the following methodology to derive these network endpoints: | cy2.licensing.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | | cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | | displaycatalog.mp.microsoft.com* | HTTPS | Used to communicate with Microsoft Store. | -|dm3p.wns.notify.windows.com.akadns.net | HTTPS | Used for the Windows Push Notification Services (WNS). | +| dm3p.wns.notify.windows.com.akadns.net | HTTPS | Used for the Windows Push Notification Services (WNS). | | fe2.update.microsoft.com* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | | fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | | fe3.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | | g.live.com/odclientsettings/Prod | HTTPS | Used by OneDrive for Business to download and verify app updates. | | g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | | geo-prod.dodsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update. | +| ip5.afdorigin-prod-am02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic. | | ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. | | licensing.mp.microsoft.com/v7.0/licenses/content | HTTPS | Used for online activation and some app licensing. | | location-inference-westus.cloudapp.net | HTTPS | Used for location data. | @@ -63,21 +65,24 @@ We used the following methodology to derive these network endpoints: | ocos-office365-s2s.msedge.net* | HTTPS | Used to connect to the Office 365 portal's shared infrastructure. | | ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. | | oneclient.sfx.ms* | HTTPS | Used by OneDrive for Business to download and verify app updates. | +| onecollector.cloudapp.aria.akadns.net | HTTPS | Office Telemetry | +| prod.nexusrules.live.com.akadns.net | HTTPS | Office Telemetry | | query.prod.cms.rt.microsoft.com* | HTTPS | Used to retrieve Windows Spotlight metadata. | | ris.api.iris.microsoft.com* | HTTPS | Used to retrieve Windows Spotlight metadata. | | settings.data.microsoft.com/settings/v2.0/* | HTTPS | Used for Windows apps to dynamically update their configuration. | | settings-win.data.microsoft.com/settings/* | HTTPS | Used as a way for apps to dynamically update their configuration.  | +| share.microsoft.com/windows-app-web-link | HTTPS | Traffic related to Books app | | sls.update.microsoft.com* | HTTPS | Enables connections to Windows Update. | | storecatalogrevocation.storequality.microsoft.com* | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. | | storeedgefd.dsx.mp.microsoft.com* | HTTPS | Used to communicate with Microsoft Store. | | tile-service.weather.microsoft.com* | HTTP | Used to download updates to the Weather app Live Tile. | | tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. | -| ip5.afdorigin-prod-am02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic. | +| us.configsvc1.live.com.akadns.net | HTTPS | Microsoft Office configuration related traffic | | watson.telemetry.microsoft.com/Telemetry.Request | HTTPS | Used by Windows Error Reporting. | +| wd-prod-cp-us-east-2-fe.eastus.cloudapp.azure.com | HTTPS | Azure front end traffic | ## Windows 10 Pro - | **Destination** | **Protocol** | **Description** | | --- | --- | --- | | *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | @@ -92,11 +97,13 @@ We used the following methodology to derive these network endpoints: | cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | | dm3p.wns.notify.windows.com.akadns.net | HTTPS | Used for the Windows Push Notification Services (WNS) | | fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| flightingservicewus.cloudapp.net | HTTPS | Insider Program | | g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | | ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. | | location-inference-westus.cloudapp.net | HTTPS | Used for location data. | | modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | | ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. | +| onecollector.cloudapp.aria.akadns.net | HTTPS | Office Telemetry | | ris.api.iris.microsoft.com.akadns.net | HTTPS | Used to retrieve Windows Spotlight metadata. | | tile-service.weather.microsoft.com/* | HTTP | Used to download updates to the Weather app Live Tile. | | tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. | @@ -118,6 +125,7 @@ We used the following methodology to derive these network endpoints: | au.download.windowsupdate.com* | HTTP | Enables connections to Windows Update. | | cdn.onenote.net/livetile/* | HTTPS | Used for OneNote Live Tile. | | client-office365-tas.msedge.net/* | HTTPS | Used to connect to the Office 365 portal’s shared infrastructure, including Office Online. | +| cloudtile.photos.microsoft.com.akadns.net | HTTPS | Photos App in MS Store | config.edge.skype.com/* | HTTPS | Used to retrieve Skype configuration values.  | | ctldl.windowsupdate.com/* | HTTP | Used to download certificates that are publicly known to be fraudulent. | | cy2.displaycatalog.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | @@ -129,6 +137,7 @@ We used the following methodology to derive these network endpoints: | fe2.update.microsoft.com/* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | | fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | | fe3.delivery.mp.microsoft.com/* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| flightingservicewus.cloudapp.net | HTTPS | Insider Program | | g.live.com/odclientsettings/* | HTTPS | Used by OneDrive for Business to download and verify app updates. | | g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | | ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. | @@ -138,11 +147,14 @@ We used the following methodology to derive these network endpoints: | ocos-office365-s2s.msedge.net/* | HTTPS | Used to connect to the Office 365 portal's shared infrastructure. | | ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. | | oneclient.sfx.ms/* | HTTPS | Used by OneDrive for Business to download and verify app updates. | +| onecollector.cloudapp.aria.akadns.net | HTTPS | Office telemetry | | settings-win.data.microsoft.com/settings/* | HTTPS | Used as a way for apps to dynamically update their configuration. | +| share.microsoft.com/windows-app-web-link | HTTPS | Traffic related to Books app | | sls.update.microsoft.com/* | HTTPS | Enables connections to Windows Update. | | storecatalogrevocation.storequality.microsoft.com/* | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. | | tile-service.weather.microsoft.com/* | HTTP | Used to download updates to the Weather app Live Tile. | | tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. | | vip5.afdorigin-prod-ch02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic. | | watson.telemetry.microsoft.com/Telemetry.Request | HTTPS | Used by Windows Error Reporting. | -| bing.com/* | HTTPS | Used for updates for Cortana, apps, and Live Tiles. | +| wd-prod-cp-us-west-3-fe.westus.cloudapp.azure.com | HTTPS | Azure front end traffic | +| www.bing.com/* | HTTPS | Used for updates for Cortana, apps, and Live Tiles. | diff --git a/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md new file mode 100644 index 0000000000..284de7b96d --- /dev/null +++ b/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md @@ -0,0 +1,159 @@ +--- +title: Windows 10, version 1809, connection endpoints for non-Enterprise editions +description: Explains what Windows 10 endpoints are used in non-Enterprise editions. +keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016 +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.localizationpriority: high +author: danihalfin +ms.author: daniha +ms.date: 6/26/2018 +--- +# Windows 10, version 1809, connection endpoints for non-Enterprise editions + + **Applies to** + +- Windows 10 Home, version 1809 +- Windows 10 Professional, version 1809 +- Windows 10 Education, version 1809 + +In addition to the endpoints listed for [Windows 10 Enterprise](manage-windows-1809-endpoints.md), the following endpoints are available on other editions of Windows 10, version 1809. + +We used the following methodology to derive these network endpoints: + +1. Set up the latest version of Windows 10 on a test virtual machine using the default settings. +2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device). +3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. +4. Compile reports on traffic going to public IP addresses. +5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. +6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here. + +> [!NOTE] +> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. + +## Windows 10 Family + +| **Destination** | **Protocol** | **Description** | +| --- | --- | --- | +|*.aria.microsoft.com* | HTTPS | Office Telemetry +|*.dl.delivery.mp.microsoft.com* | HTTP | Enables connections to Windows Update. +|*.download.windowsupdate.com* | HTTP | Used to download operating system patches and updates. +|*.g.akamai.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. +|*.msn.com* |TLSv1.2/HTTPS | Windows Spotlight related traffic +|*.Skype.com | HTTP/HTTPS | Skype related traffic +|*.smartscreen.microsoft.com* | HTTPS | Windows Defender Smartscreen related traffic +|*.telecommand.telemetry.microsoft.com* | HTTPS | Used by Windows Error Reporting. +|*cdn.onenote.net* | HTTP | OneNote related traffic +|*displaycatalog.mp.microsoft.com* | HTTPS | Used to communicate with Microsoft Store. +|*emdl.ws.microsoft.com* | HTTP | Windows Update related traffic +|*geo-prod.do.dsp.mp.microsoft.com* |TLSv1.2/HTTPS | Enables connections to Windows Update. +|*hwcdn.net* | HTTP | Used by the Highwinds Content Delivery Network to perform Windows updates. +|*img-prod-cms-rt-microsoft-com.akamaized.net* | HTTPS | Used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). +|*maps.windows.com* | HTTPS | Related to Maps application. +|*msedge.net* | HTTPS | Used by OfficeHub to get the metadata of Office apps. +|*nexusrules.officeapps.live.com* | HTTPS | Office Telemetry +|*photos.microsoft.com* | HTTPS | Photos App related traffic +|*prod.do.dsp.mp.microsoft.com* |TLSv1.2/HTTPS | Used for Windows Update downloads of apps and OS updates. +|*wac.phicdn.net* | HTTP | Windows Update related traffic +|*windowsupdate.com* | HTTP | Windows Update related traffic +|*wns.windows.com* | HTTPS, TLSv1.2 | Used for the Windows Push Notification Services (WNS). +|*wpc.v0cdn.net* | | Windows Telemetry related traffic +|auth.gfx.ms/16.000.27934.1/OldConvergedLogin_PCore.js | | MSA related +|evoke-windowsservices-tas.msedge* | HTTPS | The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office Online. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. +|fe2.update.microsoft.com* |TLSv1.2/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. +|fe3.*.mp.microsoft.com.* |TLSv1.2/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. +|fs.microsoft.com | | Font Streaming (in ENT traffic) +|g.live.com* | HTTPS | Used by OneDrive +|iriscoremetadataprod.blob.core.windows.net | HTTPS | Windows Telemetry +|mscrl.micorosoft.com | | Certificate Revocation List related traffic. +|ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. +|officeclient.microsoft.com | HTTPS | Office related traffic. +|oneclient.sfx.ms* | HTTPS | Used by OneDrive for Business to download and verify app updates. +|purchase.mp.microsoft.com* | HTTPS | Used to communicate with Microsoft Store. +|query.prod.cms.rt.microsoft.com* | HTTPS | Used to retrieve Windows Spotlight metadata. +|ris.api.iris.microsoft.com* |TLSv1.2/HTTPS | Used to retrieve Windows Spotlight metadata. +|ris-prod-atm.trafficmanager.net | HTTPS | Azure traffic manager +|settings.data.microsoft.com* | HTTPS | Used for Windows apps to dynamically update their configuration. +|settings-win.data.microsoft.com* | HTTPS | Used for Windows apps to dynamically update their configuration. +|sls.update.microsoft.com* |TLSv1.2/HTTPS | Enables connections to Windows Update. +|store*.dsx.mp.microsoft.com* | HTTPS | Used to communicate with Microsoft Store. +|storecatalogrevocation.storequality.microsoft.com* | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. +|store-images.s-microsoft.com* | HTTP | Used to get images that are used for Microsoft Store suggestions. +|tile-service.weather.microsoft.com* | HTTP | Used to download updates to the Weather app Live Tile. +|tsfe.trafficshaping.dsp.mp.microsoft.com* |TLSv1.2 | Used for content regulation. +|v10.events.data.microsoft.com | HTTPS | Diagnostic Data +|wdcp.microsoft.* |TLSv1.2 | Used for Windows Defender when Cloud-based Protection is enabled. +|wd-prod-cp-us-west-1-fe.westus.cloudapp.azure.com | HTTPS | Windows Defender related traffic. +|www.bing.com* | HTTP | Used for updates for Cortana, apps, and Live Tiles. + +## Windows 10 Pro + +| **Destination** | **Protocol** | **Description** | +| --- | --- | --- | +| *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. | +| *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| *.tlu.dl.delivery.mp.microsoft.com/* | HTTP | Enables connections to Windows Update. | +| *geo-prod.dodsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update. | +| arc.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | +| au.download.windowsupdate.com/* | HTTP | Enables connections to Windows Update. | +| ctldl.windowsupdate.com/msdownload/update/* | HTTP | Used to download certificates that are publicly known to be fraudulent. | +| cy2.licensing.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | +| cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | +| dm3p.wns.notify.windows.com.akadns.net | HTTPS | Used for the Windows Push Notification Services (WNS) | +| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | +| ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. | +| location-inference-westus.cloudapp.net | HTTPS | Used for location data. | +| modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | +| ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. | +| ris.api.iris.microsoft.com.akadns.net | HTTPS | Used to retrieve Windows Spotlight metadata. | +| tile-service.weather.microsoft.com/* | HTTP | Used to download updates to the Weather app Live Tile. | +| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. | +| vip5.afdorigin-prod-am02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic | + + +## Windows 10 Education + +| **Destination** | **Protocol** | **Description** | +| --- | --- | --- | +| *.b.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. | +| *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. | +| *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| *.telecommand.telemetry.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | +| *.tlu.dl.delivery.mp.microsoft.com* | HTTP | Enables connections to Windows Update. | +| *.windowsupdate.com* | HTTP | Enables connections to Windows Update. | +| *geo-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | +| au.download.windowsupdate.com* | HTTP | Enables connections to Windows Update. | +| cdn.onenote.net/livetile/* | HTTPS | Used for OneNote Live Tile. | +| client-office365-tas.msedge.net/* | HTTPS | Used to connect to the Office 365 portal’s shared infrastructure, including Office Online. | +| config.edge.skype.com/* | HTTPS | Used to retrieve Skype configuration values.  | +| ctldl.windowsupdate.com/* | HTTP | Used to download certificates that are publicly known to be fraudulent. | +| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | +| cy2.licensing.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | +| cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | +| displaycatalog.mp.microsoft.com/* | HTTPS | Used to communicate with Microsoft Store. | +| download.windowsupdate.com/* | HTTPS | Enables connections to Windows Update. | +| emdl.ws.microsoft.com/* | HTTP | Used to download apps from the Microsoft Store. | +| fe2.update.microsoft.com/* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| fe3.delivery.mp.microsoft.com/* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| g.live.com/odclientsettings/* | HTTPS | Used by OneDrive for Business to download and verify app updates. | +| g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | +| ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. | +| licensing.mp.microsoft.com/* | HTTPS | Used for online activation and some app licensing. | +| maps.windows.com/windows-app-web-link | HTTPS | Link to Maps application | +| modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | +| ocos-office365-s2s.msedge.net/* | HTTPS | Used to connect to the Office 365 portal's shared infrastructure. | +| ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. | +| oneclient.sfx.ms/* | HTTPS | Used by OneDrive for Business to download and verify app updates. | +| settings-win.data.microsoft.com/settings/* | HTTPS | Used as a way for apps to dynamically update their configuration. | +| sls.update.microsoft.com/* | HTTPS | Enables connections to Windows Update. | +| storecatalogrevocation.storequality.microsoft.com/* | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. | +| tile-service.weather.microsoft.com/* | HTTP | Used to download updates to the Weather app Live Tile. | +| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. | +| vip5.afdorigin-prod-ch02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic. | +| watson.telemetry.microsoft.com/Telemetry.Request | HTTPS | Used by Windows Error Reporting. | +| bing.com/* | HTTPS | Used for updates for Cortana, apps, and Live Tiles. | diff --git a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md index ccbb1809a4..515338ce7e 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md @@ -51,7 +51,7 @@ For information about Windows Defender Remote Credential Guard hardware and soft ## Application requirements -When Windows Defender Credential Guard is enabled, specific authentication capabilities are blocked, so applications that require such capabilities will break. Applications should be tested prior to deployment to ensure compatiblity with the reduced functionality. +When Windows Defender Credential Guard is enabled, specific authentication capabilities are blocked, so applications that require such capabilities will break. Applications should be tested prior to deployment to ensure compatibility with the reduced functionality. >[!WARNING] > Enabling Windows Defender Credential Guard on domain controllers is not supported.
    diff --git a/windows/security/identity-protection/hello-for-business/hello-features.md b/windows/security/identity-protection/hello-for-business/hello-features.md index d3128c154a..09530fefa8 100644 --- a/windows/security/identity-protection/hello-for-business/hello-features.md +++ b/windows/security/identity-protection/hello-for-business/hello-features.md @@ -202,9 +202,9 @@ Active Directory Domain Services uses AdminSDHolder to secure privileged users a Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_. 1. Type the following command to add the **allow** read and write property permissions for msDS-KeyCredentialLink attribute for the **Key Admins** (or **KeyCredential Admins**) group on the AdminSDHolder object.
    -```dsacls "CN=AdminSDHolder,CN=System,**DC=domain,DC=com**" /g "**[domainName\keyAdminGroup]**":RPWP,msDS-KeyCredentialLink```
    +```dsacls "CN=AdminSDHolder,CN=System,DC=domain,DC=com" /g "[domainName\keyAdminGroup]":RPWP;msDS-KeyCredentialLink```
    where **DC=domain,DC=com** is the LDAP path of your Active Directory domain and **domainName\keyAdminGroup]** is the NetBIOS name of your domain and the name of the group you use to give access to keys based on your deployment. For example:
    -```dsacls "CN=AdminSDHolder,CN=System,DC=corp,DC=mstepdemo,DC=net /g "mstepdemo\Key Admins":RPWP,msDS-KeyCredentialLink``` +```dsacls "CN=AdminSDHolder,CN=System,DC=corp,DC=mstepdemo,DC=net" /g "mstepdemo\Key Admins":RPWP;msDS-KeyCredentialLink``` 2. To trigger security descriptor propagation, open **ldp.exe**. 3. Click **Connection** and select **Connect...** Next to **Server**, type the name of the domain controller that holds the PDC role for the domain. Next to **Port**, type **389** and click **OK**. 4. Click **Connection** and select **Bind...** Click **OK** to bind as the currently signed-in user. @@ -266,4 +266,4 @@ Users appreciate convenience of biometrics and administrators value the security - [Windows Hello and password changes](hello-and-password-changes.md) - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) - [Event ID 300 - Windows Hello successfully created](hello-event-300.md) -- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) \ No newline at end of file +- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index d855efc036..dda2b53178 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -517,8 +517,8 @@ Sign-in the NDES server with access equivalent to _local administrator_. #### Configure Parameters for HTTP.SYS 1. Open an elevated command prompt. 2. Run the following commands
    -```reg add HKLM\CurrentControlSet\Services\HTTP\Parameters /v MaxFieldLength /t REG_DWORD /d 65534```
    -```reg add HKLM\CurrentControlSet\Services\HTTP\Parameters /v MaxRequestBytes /t REG_DWORD /d 65534```
    +```reg add HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters /v MaxFieldLength /t REG_DWORD /d 65534```
    +```reg add HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters /v MaxRequestBytes /t REG_DWORD /d 65534```
    3. Restart the NDES server. ## Download, Install and Configure the Intune Certificate Connector diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md index 9145280789..063a6f0ffc 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md @@ -29,7 +29,7 @@ When using a key, the on-premises environment needs an adequate distribution of When using a certificate, the on-premises environment can use Windows Server 2008 R2 and later domain controllers, which removes the Windows Server 2016 domain controller requirement. However, single-sign on using a key requires additional infrastructure to issue a certificate when the user enrolls for Windows Hello for Business. Azure AD joined devices enroll certificates using Microsoft Intune or a compatible Mobile Device Management (MDM). Microsoft Intune and Windows Hello for Business use the Network Device Enrollment Services (NDES) role and support Microsoft Intune connector. To deploy single sign-on for Azure AD joined devices using keys, read and follow [Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business](hello-hybrid-aadj-sso-base.md). -To deploy single sign-on for Azure AD joined devices using, read and follow [Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business](hello-hybrid-aadj-sso-base.md) and then [Using Certificates for AADJ On-premises Single-sign On](hello-hybrid-aadj-sso-cert.md). +To deploy single sign-on for Azure AD joined devices using certificates, read and follow [Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business](hello-hybrid-aadj-sso-base.md) and then [Using Certificates for AADJ On-premises Single-sign On](hello-hybrid-aadj-sso-cert.md). ## Related topics diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 89535ec25d..0156ec9a78 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -25,7 +25,7 @@ Before you move away from passwords, you need something to replace them. With W Deploying Windows Hello for Business is the first step towards password-less. With Windows Hello for Business deployed, it coexists with password nicely. Users are likely to use Windows Hello for Business because of its convenience, especially when combined with biometrics. However, some workflows and applications may still need passwords. This early stage is about implementing an alternative and getting users used to it. ### 2. Reduce user-visible password surface area -With Windows Hello for Business and passwords coexisting in your environment, the next step towards password-less is to reduce the password surface. The environment and workflows need to stop asking for passwords. The goal of this step is to achieve a state where the user knows they have a password, but they never user it. This state helps decondition users from providing a password any time a password prompt shows on their computer. This is a how passwords are phished. Users who rarely, it at all, use their password are unlikely to provide it. Password prompts are no longer the norm. +With Windows Hello for Business and passwords coexisting in your environment, the next step towards password-less is to reduce the password surface. The environment and workflows need to stop asking for passwords. The goal of this step is to achieve a state where the user knows they have a password, but they never use it. This state helps decondition users from providing a password any time a password prompt shows on their computer. This is how passwords are phished. Users who rarely, if at all, use their password are unlikely to provide it. Password prompts are no longer the norm. ### 3. Transition into a password-less deployment Once the user-visible password surface has been eliminated, your organization can begin to transition those users into a password-less world. A world where: diff --git a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md index d536281716..0e713f66aa 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md +++ b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: Justinha -ms.date: 11/06/2018 +ms.date: 01/12/2019 --- # Overview of BitLocker Device Encryption in Windows 10 @@ -27,7 +27,6 @@ Table 2 lists specific data-protection concerns and how they are addressed in Wi | Windows 7 | Windows 10 | |---|---| | When BitLocker is used with a PIN to protect startup, PCs such as kiosks cannot be restarted remotely. | Modern Windows devices are increasingly protected with BitLocker Device Encryption out of the box and support SSO to seamlessly protect the BitLocker encryption keys from cold boot attacks.

    Network Unlock allows PCs to start automatically when connected to the internal network. | - | Users must contact the IT department to change their BitLocker PIN or password. | Modern Windows devices no longer require a PIN in the pre-boot environment to protect BitLocker encryption keys from cold boot attacks.

    Users who have standard privileges can change their BitLocker PIN or password on legacy devices that require a PIN. | | When BitLocker is enabled, the provisioning process can take several hours. | BitLocker pre-provisioning, encrypting hard drives, and Used Space Only encryption allow administrators to enable BitLocker quickly on new computers. | | There is no support for using BitLocker with self-encrypting drives (SEDs). | BitLocker supports offloading encryption to encrypted hard drives. | | Administrators have to use separate tools to manage encrypted hard drives. | BitLocker supports encrypted hard drives with onboard encryption hardware built in, which allows administrators to use the familiar BitLocker administrative tools to manage them. | @@ -58,7 +57,9 @@ With earlier versions of Windows, administrators had to enable BitLocker after W ## BitLocker Device Encryption -Beginning in Windows 8.1, Windows automatically enables BitLocker Device Encryption on devices that support Modern Standby. With Windows 10, Microsoft offers BitLocker Device Encryption support on a much broader range of devices, including those that are Modern Standby. Microsoft expects that most devices in the future will pass the testing requirements, which makes BitLocker Device Encryption pervasive across modern Windows devices. BitLocker Device Encryption further protects the system by transparently implementing device-wide data encryption. +Beginning in Windows 8.1, Windows automatically enables BitLocker Device Encryption on devices that support Modern Standby. With Windows 10, Microsoft offers BitLocker Device Encryption support on a much broader range of devices, including those that are Modern Standby, and devices that run Windows 10 Home edition. + +Microsoft expects that most devices in the future will pass the testing requirements, which makes BitLocker Device Encryption pervasive across modern Windows devices. BitLocker Device Encryption further protects the system by transparently implementing device-wide data encryption. Unlike a standard BitLocker implementation, BitLocker Device Encryption is enabled automatically so that the device is always protected. The following list outlines how this happens: diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md index 50c63fd31c..529d064913 100644 --- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md +++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: aadake -ms.date: 12/08/2018 +ms.date: 12/20/2018 --- # Kernel DMA Protection for Thunderbolt™ 3 @@ -38,17 +38,17 @@ A simple example would be a PC owner leaves the PC for a quick coffee break, and ## How Windows protects against DMA drive-by attacks -Windows leverages the system Input/Output Memory Management Unit (IOMMU) to block external devices from starting and performing DMA unless the drivers for these devices support memory isolation (such as DMA-remapping). -Devices with compatible drivers will be automatically enumerated, started and allowed to perform DMA to their assigned memory regions. -Devices with incompatible drivers will be blocked from starting and performing DMA until an authorized user signs into the system or unlocks the screen. +Windows leverages the system Input/Output Memory Management Unit (IOMMU) to block external peripherals from starting and performing DMA unless the drivers for these peripherals support memory isolation (such as DMA-remapping). +Peripherals with compatible drivers will be automatically enumerated, started and allowed to perform DMA to their assigned memory regions. +By default, peripherals with incompatible drivers will be blocked from starting and performing DMA until an authorized user signs into the system or unlocks the screen. ## User experience ![Kernel DMA protection user experience](images/kernel-dma-protection-user-experience.png) -A device that is incompatible with DMA-remapping will be blocked from starting if the device was plugged in before an authorized user logs in, or while the screen is locked. -Once the system is unlocked, the device driver will be started by the OS, and the device will continue to function normally until the system is rebooted, or the device is unplugged. -The devices will continue to function normally if the user locks the screen or logs out of the system. +A peripheral that is incompatible with DMA-remapping will be blocked from starting if the peripheral was plugged in before an authorized user logs in, or while the screen is locked. +Once the system is unlocked, the peripheral driver will be started by the OS, and the peripheral will continue to function normally until the system is rebooted, or the peripheral is unplugged. +The peripheral will continue to function normally if the user locks the screen or logs out of the system. ## System compatibility @@ -88,7 +88,7 @@ For systems that do not support Kernel DMA Protection, please refer to the [BitL ## Frequently asked questions ### Do in-market systems support Kernel DMA Protection for Thunderbolt™ 3? -In market systems, released with Windows 10 version 1709 or earlier, will not support Kernel DMA Protection for Thunderbolt™ 3 after upgrading to Windows 10 version 1803, as this feature requires the BIOS/platform firmware changes and guarantees. For these systems, please refer to the [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md) or [Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating system](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) for other means of DMA protection. +In-market systems, released with Windows 10 version 1709 or earlier, will not support Kernel DMA Protection for Thunderbolt™ 3 after upgrading to Windows 10 version 1803, as this feature requires the BIOS/platform firmware changes and guarantees that cannot be backported to previously released devices. For these systems, please refer to the [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md) or [Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating system](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) for other means of DMA protection. ### Does Kernel DMA Protection prevent drive-by DMA attacks during Boot? No, Kernel DMA Protection only protects against drive-by DMA attacks after the OS is loaded. It is the responsibility of the system firmware/BIOS to protect against attacks via the Thunderbolt™ 3 ports during boot. @@ -108,10 +108,13 @@ In Windows 10 1803 and beyond, the Microsoft inbox drivers for USB XHCI (3.x) Co ### Do drivers for non-PCI devices need to be compatible with DMA-remapping? No. Devices for non-PCI peripherals, such as USB devices, do not perform DMA, thus no need for the driver to be compatible with DMA-remapping. -### How can an enterprise enable the “External device enumeration” policy? -The “External device enumeration” policy controls whether to enumerate external devices that are not compatible with DMA-remapping. Devices that are compatible with DMA-remapping are always enumerated. The policy can be enabled via Group Policy or Mobile Device Management (MDM): +### How can an enterprise enable the External device enumeration policy? +The External device enumeration policy controls whether to enumerate external peripherals that are not compatible with DMA-remapping. Peripherals that are compatible with DMA-remapping are always enumerated. Peripherals that don't can be blocked, allowed, or allowed only after the user signs in (default). + +The policy can be enabled by using: + - Group Policy: Administrative Templates\System\Kernel DMA Protection\Enumeration policy for external devices incompatible with Kernel DMA Protection -- MDM: [DmaGuard policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-dmaguard#dmaguard-policies) +- Mobile Device Management (MDM): [DmaGuard policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-dmaguard#dmaguard-policies) ## Related topics diff --git a/windows/security/information-protection/tpm/trusted-platform-module-overview.md b/windows/security/information-protection/tpm/trusted-platform-module-overview.md index 9b287bed8c..3d34861247 100644 --- a/windows/security/information-protection/tpm/trusted-platform-module-overview.md +++ b/windows/security/information-protection/tpm/trusted-platform-module-overview.md @@ -17,6 +17,7 @@ ms.date: 11/29/2018 **Applies to** - Windows 10 - Windows Server 2016 +- Windows Server 2019 This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication. @@ -38,7 +39,7 @@ Different versions of the TPM are defined in specifications by the Trusted Compu ### Automatic initialization of the TPM with Windows 10 -Starting with Windows 10, the operating system automatically initializes and takes ownership of the TPM. This means that in most cases, we recommend that you avoid configuring the TPM through the TPM management console, **TPM.msc**. There are a few exceptions, mostly related to resetting or performing a clean installation on a PC. For more information, see [Clear all the keys from the TPM](initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm). +Starting with Windows 10, the operating system automatically initializes and takes ownership of the TPM. This means that in most cases, we recommend that you avoid configuring the TPM through the TPM management console, **TPM.msc**. There are a few exceptions, mostly related to resetting or performing a clean installation on a PC. For more information, see [Clear all the keys from the TPM](initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm). We're [no longer actively developing the TPM management console](https://docs.microsoft.com/windows-server/get-started-19/removed-features-19#features-were-no-longer-developing) beginning with Windows Server 2019 and Windows 10, version 1809. In certain specific enterprise scenarios limited to Windows 10, versions 1507 and 1511, Group Policy might be used to back up the TPM owner authorization value in Active Directory. Because the TPM state persists across operating system installations, this TPM information is stored in a location in Active Directory that is separate from computer objects. @@ -69,18 +70,18 @@ Some things that you can check on the device are: - Is SecureBoot supported and enabled? > [!NOTE] -> Windows 10 and Windows Server 2016 support Device Health Attestation with TPM 2.0. Support for TPM 1.2 was added beginning with Windows version 1607 (RS1). TPM 2.0 requires UEFI firmware. A computer with legacy BIOS and TPM 2.0 won't work as expected. +> Windows 10, Windows Server 2016 and Windows Server 2019 support Device Health Attestation with TPM 2.0. Support for TPM 1.2 was added beginning with Windows version 1607 (RS1). TPM 2.0 requires UEFI firmware. A computer with legacy BIOS and TPM 2.0 won't work as expected. ## Supported versions for device health attestation -| TPM version | Windows 10 | Windows Server 2016 | -|-------------|-------------|---------------------| -| TPM 1.2 | >= ver 1607 | >= ver 1607 | -| TPM 2.0 | X | X | +| TPM version | Windows 10 | Windows Server 2016 | Windows Server 2019 | +|-------------|-------------|---------------------|---------------------| +| TPM 1.2 | >= ver 1607 | >= ver 1607 | Yes | +| TPM 2.0 | Yes | Yes | Yes | ## Related topics - [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics) -- [TPM Cmdlets in Windows PowerShell](https://technet.microsoft.com/library/jj603116.aspx) -- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](https://technet.microsoft.com/itpro/windows/keep-secure/prepare-your-organization-for-bitlocker-planning-and-policies#bkmk-tpmconfigurations) +- [TPM Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/trustedplatformmodule) +- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](https://docs.microsoft.com/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies#bkmk-tpmconfigurations) diff --git a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md index 9dce29791b..2c82639fdb 100644 --- a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md +++ b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security author: justinha ms.author: justinha -ms.date: 05/30/2018 +ms.date: 12/18/2018 ms.localizationpriority: medium --- @@ -104,7 +104,7 @@ This table provides info about the most common problems you might encounter whil
  • SavedGames
    • - WIP isn’t turned on for employees in your organization. + WIP isn’t turned on for employees in your organization. Error code 0x807c0008 will result if WIP is deployed by using System Center Configuration Manager. Don’t set the MakeFolderAvailableOfflineDisabled option to False for any of the specified folders.

    If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. For more info about these potential access errors, see [Can't open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/help/3187045/can-t-open-files-offline-when-you-use-offline-files-and-windows-information-protection). diff --git a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md index b0cbdd55e6..e160720d9f 100644 --- a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md +++ b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md @@ -22,8 +22,8 @@ Microsoft Intune helps you create and deploy your enterprise data protection (WI ## In this section |Topic |Description | |------|------------| -|[Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune](create-wip-policy-using-intune-azure.md)|Details about how to use the Azure portal for Microsoft Intune to create and deploy your WIP policy with MDM, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. | -|[Create a Windows Information Protection (WIP) policy with MAM using the Azure portal for Microsoft Intune](create-wip-policy-using-mam-intune-azure.md)|Details about how to use the Azure portal for Microsoft Intune to create your WIP policy with MDM, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.| +|[Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune](create-wip-policy-using-intune-azure.md)|Details about how to use the Azure portal for Microsoft Intune to create and deploy your WIP policy with MDM (Mobile Device Management), including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. | +|[Create a Windows Information Protection (WIP) policy with MAM using the Azure portal for Microsoft Intune](create-wip-policy-using-mam-intune-azure.md)|Details about how to use the Azure portal for Microsoft Intune to create your WIP policy with MAM (Mobile Application Management), including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.| |[Create a Windows Information Protection (WIP) policy using the classic console for Microsoft Intune](create-wip-policy-using-intune.md) |Details about how to use the classic console for Microsoft Intune to create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. | |[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) |Steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. | -|[Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](wip-app-enterprise-context.md) |Use the Task Manager to determine whether an app is considered work, personal or exempt by Windows Information Protection (WIP). | \ No newline at end of file +|[Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](wip-app-enterprise-context.md) |Use the Task Manager to determine whether an app is considered work, personal or exempt by Windows Information Protection (WIP). | diff --git a/windows/security/threat-protection/auditing/event-4672.md b/windows/security/threat-protection/auditing/event-4672.md index e31ecb598c..baac7dff4d 100644 --- a/windows/security/threat-protection/auditing/event-4672.md +++ b/windows/security/threat-protection/auditing/event-4672.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: Mir0sh -ms.date: 04/19/2017 +ms.date: 12/20/2018 --- # 4672(S): Special privileges assigned to new logon. @@ -18,7 +18,7 @@ ms.date: 04/19/2017 Event 4672 illustration - +
    ***Subcategory:*** [Audit Special Logon](audit-special-logon.md) ***Event Description:*** @@ -125,7 +125,7 @@ You typically will see many of these events in the event log, because every logo | SeAuditPrivilege | Generate security audits | With this privilege, the user can add entries to the security log. | | SeBackupPrivilege | Back up files and directories | - Required to perform backup operations.
    With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
    This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:
    READ\_CONTROL
    ACCESS\_SYSTEM\_SECURITY
    FILE\_GENERIC\_READ
    FILE\_TRAVERSE | | SeCreateTokenPrivilege | Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs.
    When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. | -| SeDebugPrivilege | Debug programs | Required to debug and adjust the memory of a process owned by another account.
    With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. | +| SeDebugPrivilege | Debug programs | Required to debug and adjust the memory of a process owned by another account.
    With this privilege, the user can attach a debugger to any process or to the kernel. We recommend that SeDebugPrivilege always be granted to Administrators, and only to Administrators. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. | | SeEnableDelegationPrivilege | Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation.
    With this privilege, the user can set the **Trusted for Deleg**ation setting on a user or computer object.
    The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set. | | SeImpersonatePrivilege | Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. | | SeLoadDriverPrivilege | Load and unload device drivers | Required to load or unload a device driver.
    With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. | diff --git a/windows/security/threat-protection/auditing/event-5031.md b/windows/security/threat-protection/auditing/event-5031.md index b0f14b177b..55ce54d4ee 100644 --- a/windows/security/threat-protection/auditing/event-5031.md +++ b/windows/security/threat-protection/auditing/event-5031.md @@ -7,7 +7,6 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: Mir0sh -ms.date: 04/19/2017 --- # 5031(F): The Windows Firewall Service blocked an application from accepting incoming connections on the network. @@ -15,6 +14,8 @@ ms.date: 04/19/2017 **Applies to** - Windows 10 - Windows Server 2016 +- Windows Server 2012 R2 +- Windows Server 2012 Event 5031 illustration diff --git a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md index 6629438e93..1f94b66e1c 100644 --- a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md +++ b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md @@ -8,56 +8,57 @@ ms.pagetype: security ms.localizationpriority: medium ms.author: justinha author: justinha -ms.date: 11/15/2018 +ms.date: 12/20/2018 --- -# How to control USB devices and other removable media using Intune +# How to control USB devices and other removable media using Windows Defender ATP **Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +Windows Defender ATP provides multiple monitoring and control features for USB peripherals to help prevent threats in unauthorized peripherals from compromising your devices: -You can configure Intune settings to reduce threats from removable storage such as USB devices, including: +1. [Prevent threats from removable storage](#prevent-threats-from-removable-storage) introduced by removable storage devices by enabling: + - [Windows Defender Antivirus real-time protection (RTP)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) to scan removable storage for malware. + - The [Exploit Guard Attack Surface Reduction (ASR) USB rule](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard) to block untrusted and unsigned processes that run from USB. + - [Direct Memory Access (DMA) protection settings](#protect-against-direct-memory-access-dma-attacks) to mitigate DMA attacks, including [Kernel DMA Protection for Thunderbolt](https://docs.microsoft.com/windows/security/information-protection/kernel-dma-protection-for-thunderbolt) and blocking DMA until a user signs in. + +2. [Detect plug and play connected events for peripherals in Windows Defender ATP advanced hunting](#detect-plug-and-play-connected-events) + - Identify or investigate suspicious usage activity. Create customized alerts based on these PnP events or any other Windows Defender ATP events with [custom detection rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/custom-detection-rules). -- [Block unwanted removeable storage](#block-unwanted-removable-storage) -- [Protect allowed removable storage](#protect-allowed-removable-storage) +3. [Respond to threats](#respond-to-threats) from peripherals in real-time based on properties reported by each peripheral: + - Granular configuration to deny write access to removable disks and approve or deny devices by USB vendor code, product code, device IDs, or a combination. + - Flexible policy assignment of device installation settings based on an individual or group of Azure Active Directory (Azure AD) users and devices. -Protecting allowed removeable storage requires [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus). -We recommend enabling real-time protection for improved scanning performance, especially for large storage devices. -If real-time protection is enabled, files are scanned before they are accessed and executed. The scanning scope includes all files, including those on mounted removable devices such as USB drives. -You can optionally [run a PowerShell script to perform a custom scan](https://aka.ms/scanusb) of a USB drive after it is mounted. +>[!NOTE] +>These threat reduction measures help prevent malware from coming into your environment. To protect enterprise data from leaving your environment, you can also configure data loss prevention measures. For example, on Windows 10 devices you can configure [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) and [Windows Information Protection](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure), which will encrypt company data even if it is stored on a personal device, or use the [Storage/RemovableDiskDenyWriteAccess CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-storage#storage-removablediskdenywriteaccess) to deny write access to removable disks. -> [!NOTE] -> These threat reduction measures help prevent malware from coming into your environment. To protect enterprise data from leaving your environment, you can also configure data loss prevention measures. For data loss prevention on Windows 10 devices, you can configure [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) and [Windows Information Protection](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure), which will encrypt company data even if it is stored on a personal device. +For more information about controlling USB devices, see the [Microsoft Secure blog "WDATP has protections for USB and removable devices"](https://aka.ms/devicecontrolblog). -## Block unwanted removeable storage +## Prevent threats from removable storage + +Windows Defender ATP can help identify and block malicious files on allowed removable storage peripherals. -1. Sign in to the [Microsoft Azure portal](https://portal.azure.com/). -2. Click **Intune** > **Device configuration** > **Profiles** > **Create profile**. +### Enable Windows Defender Antivirus Scanning - ![Create device configuration profile](images/create-device-configuration-profile.png) +Protecting authorized removable storage with Windows Defender Antivirus requires [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) or scheduling scans and configuring removable drives for scans. -3. Use the following settings: +- If real-time protection is enabled, files are scanned before they are accessed and executed. The scanning scope includes all files, including those on mounted removable devices such as USB drives. You can optionally [run a PowerShell script to perform a custom scan](https://aka.ms/scanusb) of a USB drive after it is mounted, so that Windows Defender Antivirus starts scanning all files on a removable device once the removable device is attached. However, we recommend enabling real-time protection for improved scanning performance, especially for large storage devices. +- If scheduled scans are used, then you need to disable the DisableRemovableDriveScanning setting (enabled by default) to scan the removable device during a full scan. Removable devices are scanned during a quick or custom scan regardless of the DisableRemovableDriveScanning setting. - - Name: Windows 10 Device Configuration - - Description: Block removeable storage and USB connections - - Platform: Windows 10 and later - - Profile type: Device restrictions +>[!NOTE] +>We recommend enabling real-time monitoring for scanning. In Intune, you can enable real-time monitoring for Windows 10 in **Device Restrictions** > **Configure** > **Windows Defender Antivirus** > **Real-time monitoring**. - ![Create profile](images/create-profile.png) + -4. Click **Configure** > **General**. +### Block untrusted and unsigned processes on USB peripherals -5. For **Removable storage** and **USB connection (mobile only)**, choose **Block**. - - ![General settings](images/general-settings.png) - -6. Click **OK** to close **General** settings and **Device restrictions**. - -7. Click **Create** to save the profile. - -Alternatively, you can create a custom profile in Intune and configure [DeviceInstallation](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation) policies. - -## Protect allowed removable storage +End-users might plug in removable devices that are infected with malware. +To prevent infections, a company can block USB files that are unsigned or untrusted. +Alternatively, companies can leverage the audit feature of attack surface reduction rules to monitor the activity of untrusted and unsigned processes that execute on a USB peripheral. +This can be done by setting **Untrusted and unsigned processes that run from USB** to either **Block** or **Audit only**, respectively. +With this rule, admins can prevent or audit unsigned or untrusted executable files from running from USB removable drives, including SD cards. +Affected file types include executable files (such as .exe, .dll, or .scr) and script files such as a PowerShell (.ps), VisualBasic (.vbs), or JavaScript (.js) files. These settings require [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus). @@ -73,7 +74,7 @@ These settings require [enabling real-time protection](https://docs.microsoft.co - Platform: Windows 10 or later - Profile type: Endpoint protection - ![Create enpoint protection profile](images/create-endpoint-protection-profile.png) + ![Create endpoint protection profile](images/create-endpoint-protection-profile.png) 4. Click **Configure** > **Windows Defender Exploit Guard** > **Attack Surface Reduction**. @@ -83,4 +84,104 @@ These settings require [enabling real-time protection](https://docs.microsoft.co 6. Click **OK** to close **Attack Surface Reduction**, **Windows Defender Exploit Guard**, and **Endpoint protection**. -7. Click **Create** to save the profile. \ No newline at end of file +7. Click **Create** to save the profile. + +### Protect against Direct Memory Access (DMA) attacks + +DMA attacks can lead to disclosure of sensitive information residing on a PC, or even injection of malware that allows attackers to bypass the lock screen or control PCs remotely. The following settings help to prevent DMA attacks: + +1. Beginning with Windows 10 version 1803, Microsoft introduced [Kernel DMA Protection for Thunderbolt](https://docs.microsoft.com/windows/security/information-protection/kernel-dma-protection-for-thunderbolt) to provide native protection against DMA attacks via Thunderbolt ports. Kernel DMA Protection for Thunderbolt is enabled by system manufacturers and cannot be turned on or off by users. + + Beginning with Windows 10 version 1809, you can adjust the level of Kernel DMA Protection by configuring the [DMA Guard CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-dmaguard#dmaguard-deviceenumerationpolicy). This is an additional control for peripherals that don't support device memory isolation (also known as DMA-remapping). Memory isolation allows the OS to leverage the I/O Memory Management Unit (IOMMU) of a device to block unallowed I/O, or memory access, by the peripheral (memory sandboxing). In other words, the OS assigns a certain memory range to the peripheral. If the peripheral attempts to read/write to memory outside of the assigned range, the OS blocks it. + + Peripherals that support device memory isolation can always connect. Peripherals that don't can be blocked, allowed, or allowed only after the user signs in (default). + +2. On Windows 10 systems that do not suppprt Kernel DMA Protection, you can: + + - [Block DMA until a user signs in](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-dataprotection#dataprotection-allowdirectmemoryaccess) + - [Block all connections via the Thunderbolt ports (including USB devices)](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d) + + +## Detect plug and play connected events + +You can view plug and play connected events in Windows Defender ATP advanced hunting to identify suspicious usage activity or perform internal investigations. +For examples of Windows Defender ATP advanced hunting queries, see the [Windows Defender ATP hunting queries GitHub repo](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries). +Based on any Windows Defender ATP event, including the plug and play events, you can create custom alerts using the Windows Defender ATP [custom detection rule feature](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/custom-detection-rules). + +## Respond to threats + +Windows Defender ATP can prevent USB peripherals from being used on devices to help prevent external threats. It does this by using the properties reported by USB peripherals to determine whether or not they can be installed and used on the device. + +>[!Note] +>Always test and refine these settings with a pilot group of users and devices first before applying them in production. + +The following table describes the ways Windows Defender ATP can help prevent installation and usage of USB peripherals. +For more information about controlling USB devices, see the [Microsoft Secure blog "WDATP has protections for USB and removable devices"](https://aka.ms/devicecontrolblog). + +| Control | Description | +|----------|-------------| +| [Block installation and usage of removable storage](#block-installation-and-usage-of-removable-storage) | Users can't install or use removable storage | +| [Only allow installation and usage of specifically approved peripherals](#only-allow-installation-and-usage-of-specifically-approved-peripherals) | Users can only install and use approved peripherals that report specific properties in their firmware | +| [Prevent installation of specifically prohibited peripherals](#prevent-installation-of-specifically-prohibited-peripherals) | Users can't install or use prohibited peripherals that report specific properties in their firmware | + +>[!Note] +>Because an unauthorized USB peripheral can have firmware that spoofs its USB properties, we recommend only allowing specifically approved USB peripherals and limiting the users who can access them. + +### Block installation and usage of removable storage + +1. Sign in to the [Microsoft Azure portal](https://portal.azure.com/). +2. Click **Intune** > **Device configuration** > **Profiles** > **Create profile**. + + ![Create device configuration profile](images/create-device-configuration-profile.png) + +3. Use the following settings: + + - Name: Type a name for the profile + - Description: Type a description + - Platform: Windows 10 and later + - Profile type: Device restrictions + + ![Create profile](images/create-profile.png) + +4. Click **Configure** > **General**. + +5. For **Removable storage** and **USB connection (mobile only)**, choose **Block**. **Removable storage** includes USB drives, where **USB connection (mobile only)** excludes USB charging but includes other USB connections on mobile devices only. + + ![General settings](images/general-settings.png) + +6. Click **OK** to close **General** settings and **Device restrictions**. + +7. Click **Create** to save the profile. + +### Only allow installation and usage of specifically approved peripherals + +Windows Defender ATP allows installation and usage of only specifically approved peripherals by creating a custom profile in Intune and configuring [DeviceInstallation policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation). +For example, this custom profile allows installation and usage of USB devices with hardware IDs "USBSTOR\DiskVendorCo" and "USBSTOR\DiskSanDisk_Cruzer_Glide_3.0". + +![Custom profile](images/custom-profile-allow-device-ids.png) + +Peripherals that are allowed to be installed can be specified by their [hardware identity](https://docs.microsoft.com/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it blocks and allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. + +For a SyncML example that allows installation of specific device IDs, see [DeviceInstallation/AllowInstallationOfMatchingDeviceIDs CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-allowinstallationofmatchingdeviceids). To allow specific device classes, see [DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-allowinstallationofmatchingdevicesetupclasses). +Allowing installation of specific devices requires also enabling [DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventinstallationofdevicesnotdescribedbyotherpolicysettings). + +### Prevent installation of specifically prohibited peripherals + +Windows Defender ATP also blocks installation and usage of prohibited peripherals with a custom profile in Intune. +For example, this custom profile blocks installation and usage of USB devices with hardware IDs "USBSTOR\DiskVendorCo" and "USBSTOR\DiskSanDisk_Cruzer_Glide_3.0", and applies to USB devices with matching hardware IDs that are already installed. + +![Custom profile](images/custom-profile-prevent-device-ids.png) + +For a SyncML example that prevents installation of specific device IDs, see [DeviceInstallation/PreventInstallationOfMatchingDeviceIDs CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventinstallationofmatchingdeviceids). To prevent specific device classes, see [DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventinstallationofmatchingdevicesetupclasses). + +## Related topics + +- [Configure real-time protection for Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) +- [Defender/AllowFullScanRemovableDriveScanning](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-allowfullscanremovabledrivescanning) +- [Policy/DeviceInstallation CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation) +- [Perform a custom scan of a removable device](https://aka.ms/scanusb) +- [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) +- [Windows Information Protection](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure) + + + diff --git a/windows/security/threat-protection/device-control/images/create-device-configuration-profile.png b/windows/security/threat-protection/device-control/images/create-device-configuration-profile.png index 1e0f0587a3..1b6d4aa708 100644 Binary files a/windows/security/threat-protection/device-control/images/create-device-configuration-profile.png and b/windows/security/threat-protection/device-control/images/create-device-configuration-profile.png differ diff --git a/windows/security/threat-protection/device-control/images/custom-profile-allow-device-ids.png b/windows/security/threat-protection/device-control/images/custom-profile-allow-device-ids.png new file mode 100644 index 0000000000..95ac48ec54 Binary files /dev/null and b/windows/security/threat-protection/device-control/images/custom-profile-allow-device-ids.png differ diff --git a/windows/security/threat-protection/device-control/images/custom-profile-prevent-device-ids.png b/windows/security/threat-protection/device-control/images/custom-profile-prevent-device-ids.png new file mode 100644 index 0000000000..d949232d44 Binary files /dev/null and b/windows/security/threat-protection/device-control/images/custom-profile-prevent-device-ids.png differ diff --git a/windows/security/threat-protection/device-control/images/device-manager-disk-drives.png b/windows/security/threat-protection/device-control/images/device-manager-disk-drives.png new file mode 100644 index 0000000000..44be977537 Binary files /dev/null and b/windows/security/threat-protection/device-control/images/device-manager-disk-drives.png differ diff --git a/windows/security/threat-protection/device-control/images/disk-drive-hardware-id.png b/windows/security/threat-protection/device-control/images/disk-drive-hardware-id.png new file mode 100644 index 0000000000..cf8399acf4 Binary files /dev/null and b/windows/security/threat-protection/device-control/images/disk-drive-hardware-id.png differ diff --git a/windows/security/threat-protection/intelligence/safety-scanner-download.md b/windows/security/threat-protection/intelligence/safety-scanner-download.md index 5dc552c190..b4f4ff5cc4 100644 --- a/windows/security/threat-protection/intelligence/safety-scanner-download.md +++ b/windows/security/threat-protection/intelligence/safety-scanner-download.md @@ -13,9 +13,9 @@ ms.date: 08/01/2018 # Microsoft Safety Scanner Microsoft Safety Scanner is a scan tool designed to find and remove malware from Windows computers. Simply download it and run a scan to find malware and try to reverse changes made by identified threats. -- [Download 32-bit](https://go.microsoft.com/fwlink/?LinkId=212733) +- [Download Microsoft Safety Scanner (32-bit)](https://go.microsoft.com/fwlink/?LinkId=212733) -- [Download 64-bit](https://go.microsoft.com/fwlink/?LinkId=212732) +- [Download Microsoft Safety Scanner (64-bit)](https://go.microsoft.com/fwlink/?LinkId=212732) Safety Scanner only scans when manually triggered and is available for use 10 days after being downloaded. We recommend that you always download the latest version of this tool before each scan. diff --git a/windows/security/threat-protection/security-policy-settings/includes/smb1-perf-note.md b/windows/security/threat-protection/security-policy-settings/includes/smb1-perf-note.md new file mode 100644 index 0000000000..f8676a335b --- /dev/null +++ b/windows/security/threat-protection/security-policy-settings/includes/smb1-perf-note.md @@ -0,0 +1,8 @@ +--- +author: jasongerend +ms.author: jgerend +ms.date: 1/4/2019 +ms.topic: include +ms.prod: w10 +--- +Using SMB packet signing can degrade performance on file service transactions, depending on the version of SMB and available CPU cycles. \ No newline at end of file diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md index 988d211159..78a93d1dc7 100644 --- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md +++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: brianlic-msft -ms.date: 06/19/2018 +ms.date: 01/04/2019 --- # SMBv1 Microsoft network client: Digitally sign communications (always) @@ -31,7 +31,7 @@ If server-side SMB signing is required, a client device will not be able to esta If server-side SMB signing is enabled, SMB packet signing will be negotiated with client computers that have SMB signing enabled. -Using SMB packet signing can impose up to a 15 percent performance degradation on file service transactions. +[!INCLUDE [smb1-perf-note](includes/smb1-perf-note.md)] There are three other policy settings that relate to packet-signing requirements for Server Message Block (SMB) communications: - [Microsoft network server: Digitally sign communications (always)](smbv1-microsoft-network-server-digitally-sign-communications-always.md) diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md index 16cffebd8d..74f1f7f04d 100644 --- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md +++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: brianlic-msft -ms.date: 06/19/2018 +ms.date: 01/04/2019 --- # SMBv1 Microsoft network client: Digitally sign communications (if server agrees) @@ -29,7 +29,7 @@ If server-side SMB signing is required, a client computer will not be able to es If server-side SMB signing is enabled, SMB packet signing will be negotiated with client computers that have SMB signing enabled. -Using SMB packet signing can impose up to a 15 percent performance degradation on file service transactions. +[!INCLUDE [smb1-perf-note](includes/smb1-perf-note.md)] There are three other policy settings that relate to packet-signing requirements for Server Message Block (SMB) communications: diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md index 8e2cdd2740..9661827e2a 100644 --- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md +++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: brianlic-msft -ms.date: 06/19/201 +ms.date: 01/04/2019 --- # SMB v1 Microsoft network server: Digitally sign communications (always) @@ -33,7 +33,7 @@ If server-side SMB signing is required, a client device will not be able to esta If server-side SMB signing is enabled, SMB packet signing will be negotiated with client devices that have SMB signing enabled. -Using SMB packet signing can impose up to a 15 percent performance degradation on file service transactions. +[!INCLUDE [smb1-perf-note](includes/smb1-perf-note.md)] There are three other policy settings that relate to packet-signing requirements for Server Message Block (SMB) communications: diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md index 654a737d1a..7443f0f9de 100644 --- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md +++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: brianlic-msft -ms.date: 06/19/2018 +ms.date: 01/04/2019 --- # SMBv1 Microsoft network server: Digitally sign communications (if client agrees) @@ -31,7 +31,7 @@ If server-side SMB signing is required, a client device will not be able to esta If server-side SMB signing is enabled, SMB packet signing will be negotiated with client computers that have SMB signing enabled. -Using SMB packet signing can impose up to a 15 percent performance degradation on file service transactions. +[!INCLUDE [smb1-perf-note](includes/smb1-perf-note.md)] There are three other policy settings that relate to packet-signing requirements for Server Message Block (SMB) communications: diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md index 27e5ec8d90..b5c590602d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: jsuther1974 -ms.date: 11/28/2018 +ms.date: 01/08/2019 --- # Windows Defender Application Control @@ -38,7 +38,7 @@ WDAC policies also block unsigned scripts and MSIs, and Windows PowerShell runs ## WDAC System Requirements WDAC policies can only be created on computers beginning with Windows 10 Enterprise or Professional editions or Windows Server 2016. -They can be applied to computers running any edition of Windows 10 or Windows Server 2016 and managed via Mobile Device Management (MDM), such as Microsoft Intune. +They can be applied to computers running any edition of Windows 10 or Windows Server 2016 and optionally managed via Mobile Device Management (MDM), such as Microsoft Intune. Group Policy or Intune can be used to distribute WDAC policies. ## New and changed functionality diff --git a/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md index 511904d283..d2602326e1 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md @@ -25,7 +25,7 @@ You can see how an employee would use standalone mode with Application Guard. **To test Application Guard in Standalone mode** -1. Install Application Guard, using the [installation](#install-set-up-and-turn-on-application-guard) steps in this guide. +1. Install Application Guard, using the [installation](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard) steps in this guide. 2. Restart the device, start Microsoft Edge, and then click **New Application Guard window** from the menu. @@ -46,7 +46,7 @@ How to install, set up, turn on, and configure Application Guard for Enterprise- ### Install, set up, and turn on Application Guard Before you can use Application Guard in enterprise mode, you must install Windows 10 Enterprise edition, version 1709, which includes the functionality. Then, you must use Group Policy to set up the required settings. -1. Install Application Guard, using the [installation](#install-set-up-and-turn-on-application-guard) steps in this guide. +1. Install Application Guard, using the [installation](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard) steps in this guide. 2. Restart the device and then start Microsoft Edge. diff --git a/windows/security/threat-protection/windows-defender-atp/TOC.md b/windows/security/threat-protection/windows-defender-atp/TOC.md index 5e93dae32c..6939cb2a2a 100644 --- a/windows/security/threat-protection/windows-defender-atp/TOC.md +++ b/windows/security/threat-protection/windows-defender-atp/TOC.md @@ -98,6 +98,7 @@ ## [Get started](get-started.md) +### [What's new in Windows Defender ATP](whats-new-in-windows-defender-atp.md) ### [Minimum requirements](minimum-requirements-windows-defender-advanced-threat-protection.md) ### [Validate licensing and complete setup](licensing-windows-defender-advanced-threat-protection.md) ### [Preview features](preview-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md index b3d5cbfb91..6dfed8dd52 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 10/16/2017 +ms.date: 12/20/2018 --- # Configure HP ArcSight to pull Windows Defender ATP alerts @@ -51,10 +51,10 @@ This section guides you in getting the necessary information to set and use the You can generate these tokens from the **SIEM integration** setup section of the portal. -## Install and configure HP ArcSight SmartConnector +## Install and configure HP ArcSight FlexConnector The following steps assume that you have completed all the required steps in [Before you begin](#before-you-begin). -1. Install the latest 32-bit Windows SmartConnector installer. You can find this in the HPE Software center. The tool is typically installed in the following default location: `C:\Program Files\ArcSightSmartConnectors\current\bin`.

    You can choose where to save the tool, for example C:\\*folder_location*\current\bin where *folder_location* represents the installation location. +1. Install the latest 32-bit Windows FlexConnector installer. You can find this in the HPE Software center. The tool is typically installed in the following default location: `C:\Program Files\ArcSightFlexConnectors\current\bin`.

    You can choose where to save the tool, for example C:\\*folder_location*\current\bin where *folder_location* represents the installation location. 2. Follow the installation wizard through the following tasks: - Introduction @@ -66,7 +66,7 @@ The following steps assume that you have completed all the required steps in [Be You can keep the default values for each of these tasks or modify the selection to suit your requirements. -3. Open File Explorer and locate the two configuration files you saved when you enabled the SIEM integration feature. Put the two files in the SmartConnector installation location, for example: +3. Open File Explorer and locate the two configuration files you saved when you enabled the SIEM integration feature. Put the two files in the FlexConnector installation location, for example: - WDATP-connector.jsonparser.properties: C:\\*folder_location*\current\user\agent\flexagent\ diff --git a/windows/security/threat-protection/windows-defender-atp/whats-new-in-windows-defender-atp.md b/windows/security/threat-protection/windows-defender-atp/whats-new-in-windows-defender-atp.md new file mode 100644 index 0000000000..2368678ecc --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/whats-new-in-windows-defender-atp.md @@ -0,0 +1,75 @@ +--- +title: What's new in Windows Defender ATP +description: Lists the new features and functionality in Windows Defender ATP +keywords: what's new in windows defender atp +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dansimp +author: dansimp +ms.localizationpriority: medium +ms.date: 01/07/2019 +--- + +# What's new in Windows Defender ATP +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +Here are the new features in the latest release of Windows Defender ATP. + +## Windows Defender ATP 1809 +- [Controlled folder access](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard) +Controlled folder access is now supported on Windows Server 2019. + +- [Attack surface reduction rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard) +All Attack surface reduction rules are now supported on Windows Server 2019. +For Windows 10, version 1809 there are two new attack surface reduction rules: + - Block Adobe Reader from creating child processes + - Block Office communication application from creating child processes. + +- [Windows Defender Antivirus](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) + - Antimalware Scan Interface (AMSI) was extended to cover Office VBA macros as well. [Office VBA + AMSI: Parting the veil on malicious macros](https://cloudblogs.microsoft.com/microsoftsecure/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/). + - Windows Defender Antivirus can now [run within a sandbox](https://cloudblogs.microsoft.com/microsoftsecure/2018/10/26/windows-defender-antivirus-can-now-run-in-a-sandbox/) (preview), increasing its security. + - [Configure CPU priority settings](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus) for Windows Defender Antivirus scans. + + + +- [Threat analytics](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-analytics)
    +Threat Analytics is a set of interactive reports published by the Windows Defender ATP research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats. + +- [Custom detection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-custom-detections)
    +With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules. +- [Managed security service provider (MSSP) support](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection)
    +Windows Defender ATP adds support for this scenario by providing MSSP integration. The integration will allow MSSPs to take the following actions: Get access to MSSP customer's Windows Defender Security Center portal, fetch email notifications, and fetch alerts through security information and event management (SIEM) tools. +- [Integration with Azure Security Center](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#integration-with-azure-security-center)
    +Windows Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Windows Defender ATP to provide improved threat detection for Windows Servers. +- [Integration with Microsoft Cloud App Security](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration)
    +Microsoft Cloud App Security leverages Windows Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Windows Defender ATP monitored machines. +- [Onboard Windows Server 2019](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#windows-server-version-1803-and-windows-server-2019)
    +Windows Defender ATP now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines. +- [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection)
    +Onboard supported versions of Windows machines so that they can send sensor data to the Windows Defender ATP sensor. +- [Removable device control](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/19/windows-defender-atp-has-protections-for-usb-and-removable-devices/)
    +Windows Defender ATP provides multiple monitoring and control features to help prevent threats from removable devices, including new settings to allow or block specific hardware IDs. + +## Windows Defender ATP 1803 +- [Attack surface reduction rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard) +New attack surface reduction rules: + - Use advanced protection against ransomware + - Block credential stealing from the Windows local security authority subsystem (lsass.exe) + - Block process creations originating from PSExec and WMI commands + - Block untrusted and unsigned processes that run from USB + - Block executable content from email client and webmail +- [Controlled folder access](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard) +You can now block untrusted processes from writing to disk sectors using Controlled Folder Access. +- [Windows Defender Antivirus](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) +Windows Defender Antivirus now shares detection status between M365 services and interoperates with Windows Defender ATP. For more information, see [Use next-gen technologies in Windows Defender Antivirus through cloud-delivered protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus). Block at first sight can now block non-portable executable files (such as JS, VBS, or macros) as well as executable files. For more information, see [Enable block at first sight](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus). +- [Advanced Hunting](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection)
    +Query data using Advanced hunting in Windows Defender ATP +- [Automated investigation](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection)
    Use Automated investigations to investigate and remediate threats +- [Conditional access](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection)
    +Enable conditional access to better protect users, devices, and data + diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md index 557b83c494..2b00cbb179 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 11/27/2018 +ms.date: 12/19/2018 --- # Customize attack surface reduction rules @@ -47,7 +47,7 @@ Rule description | GUID -|:-:|- Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -Block Win32 API calls from Office macro 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B +Block Win32 API calls from Office macro | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899 Block Office applications from injecting code into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D diff --git a/windows/whats-new/TOC.md b/windows/whats-new/TOC.md index 6c8ae105ee..1655e466e9 100644 --- a/windows/whats-new/TOC.md +++ b/windows/whats-new/TOC.md @@ -4,6 +4,4 @@ ## [What's new in Windows 10, version 1709](whats-new-windows-10-version-1709.md) ## [What's new in Windows 10, version 1703](whats-new-windows-10-version-1703.md) ## [What's new in Windows 10, version 1607](whats-new-windows-10-version-1607.md) -## [What's new in Windows 10, versions 1507 and 1511](whats-new-windows-10-version-1507-and-1511.md) - - +## [What's new in Windows 10, versions 1507 and 1511](whats-new-windows-10-version-1507-and-1511.md) \ No newline at end of file diff --git a/windows/whats-new/images/Defender.png b/windows/whats-new/images/Defender.png index a99f5992a0..1d14812242 100644 Binary files a/windows/whats-new/images/Defender.png and b/windows/whats-new/images/Defender.png differ diff --git a/windows/whats-new/images/WebSignIn.png b/windows/whats-new/images/WebSignIn.png index 4afa324aec..1a2c0ed270 100644 Binary files a/windows/whats-new/images/WebSignIn.png and b/windows/whats-new/images/WebSignIn.png differ diff --git a/windows/whats-new/images/virus-and-threat-protection.png b/windows/whats-new/images/virus-and-threat-protection.png index 8fd800dcfa..f5fd5287bc 100644 Binary files a/windows/whats-new/images/virus-and-threat-protection.png and b/windows/whats-new/images/virus-and-threat-protection.png differ diff --git a/windows/whats-new/images/wdatp.png b/windows/whats-new/images/wdatp.png new file mode 100644 index 0000000000..79410f493f Binary files /dev/null and b/windows/whats-new/images/wdatp.png differ diff --git a/windows/whats-new/images/windows-defender-atp.png b/windows/whats-new/images/windows-defender-atp.png new file mode 100644 index 0000000000..938ac2c72d Binary files /dev/null and b/windows/whats-new/images/windows-defender-atp.png differ diff --git a/windows/whats-new/index.md b/windows/whats-new/index.md index 12fae68091..47357b364c 100644 --- a/windows/whats-new/index.md +++ b/windows/whats-new/index.md @@ -35,7 +35,9 @@ Windows 10 provides IT professionals with advanced protection against modern sec - [Compare Windows 10 Editions](https://go.microsoft.com/fwlink/p/?LinkId=690485) +## See also +[Windows 10 Enterprise LTSC](ltsc/index.md)     diff --git a/windows/whats-new/ltsc/TOC.md b/windows/whats-new/ltsc/TOC.md new file mode 100644 index 0000000000..6dfee34a97 --- /dev/null +++ b/windows/whats-new/ltsc/TOC.md @@ -0,0 +1,4 @@ +# [Windows 10 Enterprise LTSC](index.md) +## [What's new in Windows 10 Enterprise 2019 LTSC](whats-new-windows-10-2019.md) +## [What's new in Windows 10 Enterprise 2016 LTSC](whats-new-windows-10-2016.md) +## [What's new in Windows 10 Enterprise 2015 LTSC](whats-new-windows-10-2015.md) \ No newline at end of file diff --git a/windows/whats-new/ltsc/index.md b/windows/whats-new/ltsc/index.md new file mode 100644 index 0000000000..df4bb4d4b9 --- /dev/null +++ b/windows/whats-new/ltsc/index.md @@ -0,0 +1,49 @@ +--- +title: Windows 10 Enterprise LTSC +description: New and updated IT Pro content about new features in Windows 10, LTSC (also known as Windows 10 LTSB). +keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 LTSC", "Windows 10 LTSB"] +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: greg-lindsay +ms.date: 12/27/2018 +ms.localizationpriority: low +--- + +# Windows 10 Enterprise LTSC + +**Applies to** +- Windows 10 Enterprise LTSC + +## In this topic + +This topic provides links to articles with information about what's new in each release of Windows 10 Enterprise LTSC, and includes a short description of this servicing channel. + +[What's New in Windows 10 Enterprise 2019 LTSC](whats-new-windows-10-2019.md)
    +[What's New in Windows 10 Enterprise 2016 LTSC](whats-new-windows-10-2016.md)
    +[What's New in Windows 10 Enterprise 2015 LTSC](whats-new-windows-10-2015.md) + +## The Long Term Servicing Channel (LTSC) + +The following table summarizes equivalent feature update versions of Windows 10 LTSC and semi-annual channel (SAC) releases. + +| LTSC release | Equivalent SAC release | Availability date | +| --- | --- | --- | +| Windows 10 Enterprise 2015 LTSC | Windows 10, Version 1507 | 7/29/2015 | +| Windows 10 Enterprise 2016 LTSC | Windows 10, Version 1607 | 8/2/2016 | +| Windows 10 Enterprise 2019 LTSC | Windows 10, Version 1809 | 11/13/2018 | + +>[!NOTE] +>The Long Term Servicing Channel was previously called the Long Term Servicing Branch (LTSB). All references to LTSB are changed in this article to LTSC for consistency, even though the name of previous versions might still be displayed as LTSB. + +With the LTSC servicing model, customers can delay receiving feature updates and instead only receive monthly quality updates on devices. Features from Windows 10 that could be updated with new functionality, including Cortana, Edge, and all in-box Universal Windows apps, are also not included. Feature updates are offered in new LTSC releases every 2–3 years instead of every 6 months, and organizations can choose to install them as in-place upgrades or even skip releases over a 10-year life cycle. Microsoft is committed to providing bug fixes and security patches for each LTSC release during this 10 year period. + +>[!IMPORTANT] +>The Long Term Servicing Channel is not intended for deployment on most or all the PCs in an organization. The LTSC edition of Windows 10 provides customers with access to a deployment option for their special-purpose devices and environments. These devices typically perform a single important task and don’t need feature updates as frequently as other devices in the organization. These devices are also typically not heavily dependent on support from external apps and tools. Since the feature set for LTSC does not change for the lifetime of the release, over time there might be some external tools that do not continue to provide legacy support. See [LTSC: What is it, and when it should be used](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181). + +For detailed information about Windows 10 servicing, see [Overview of Windows as a service](/windows/deployment/update/waas-overview.md). + +## See Also + +[What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.
    +[Windows 10 - Release information](https://docs.microsoft.com/en-us/windows/windows-10/release-information): Windows 10 current versions by servicing option. \ No newline at end of file diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2015.md b/windows/whats-new/ltsc/whats-new-windows-10-2015.md new file mode 100644 index 0000000000..cc7f3c8058 --- /dev/null +++ b/windows/whats-new/ltsc/whats-new-windows-10-2015.md @@ -0,0 +1,307 @@ +--- +title: What's new in Windows 10 Enterprise 2015 LTSC +description: New and updated IT Pro content about new features in Windows 10 Enterprise 2015 LTSC (also known as Windows 10 Enterprise 2015 LTSB). +keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise 2015 LTSC"] +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: greg-lindsay +ms.localizationpriority: low +--- + +# What's new in Windows 10 Enterprise 2015 LTSC + +**Applies to** +- Windows 10 Enterprise 2015 LTSC + +This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise 2015 LTSC (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](index.md). + +>[!NOTE] +>Features in Windows 10 Enterprise 2015 LTSC are equivalent to [Windows 10, version 1507](../whats-new-windows-10-version-1507-and-1511.md). + +## Deployment + +### Provisioning devices using Windows Imaging and Configuration Designer (ICD) + +With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. Using Windows Provisioning, an IT administrator can easily specify the configuration and settings required to enroll devices into management using a wizard-driven user interface, and then apply this configuration to target devices in a matter of minutes. It is best suited for small- to medium-sized businesses with deployments that range from tens to a few hundred computers. + +[Learn more about provisioning in Windows 10](/windows/configuration/provisioning-packages/provisioning-packages) + +## Security + +### Applocker + +Applocker was available for Windows 8.1, and is improved with Windows 10. See [Requirements to use AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md) for a list of operating system requirements. + +Enhancements to Applocker in Windows 10 include: + +- A new parameter was added to the [New-AppLockerPolicy](https://technet.microsoft.com/library/hh847211.aspx) Windows PowerShell cmdlet that lets you choose whether executable and DLL rule collections apply to non-interactive processes. To enable this, set the **ServiceEnforcement** to **Enabled**. +- A new [AppLocker](https://msdn.microsoft.com/library/windows/hardware/dn920019.aspx) configuration service provider was add to allow you to enable AppLocker rules by using an MDM server. +- You can manage Windows 10 Mobile devices by using the new [AppLocker CSP](https://msdn.microsoft.com/library/windows/hardware/dn920019.aspx). + +[Learn how to manage AppLocker within your organization](/windows/device-security/applocker/applocker-overview). + +### Bitlocker + +Enhancements to Applocker in Windows 10 include: + +- **Encrypt and recover your device with Azure Active Directory**. In addition to using a Microsoft Account, automatic [Device Encryption](https://technet.microsoft.com/itpro/windows/keep-secure/windows-10-security-guide#device-encryption) can now encrypt your devices that are joined to an Azure Active Directory domain. When the device is encrypted, the BitLocker recovery key is automatically escrowed to Azure Active Directory. This will make it easier to recover your BitLocker key online. +- **DMA port protection**. You can use the [DataProtection/AllowDirectMemoryAccess](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#dataprotection-allowdirectmemoryaccess) MDM policy to block DMA ports when the device is starting up. Also, when a device is locked, all unused DMA ports are turned off, but any devices that are already plugged into a DMA port will continue to work. When the device is unlocked, all DMA ports are turned back on. +- **New Group Policy for configuring pre-boot recovery**. You can now configure the pre-boot recovery message and recover URL that is shown on the pre-boot recovery screen. For more info, see the [Configure pre-boot recovery message and URL](https://technet.microsoft.com/itpro/windows/keep-secure/bitlocker-group-policy-settings#bkmk-configurepreboot) section in "BitLocker Group Policy settings." + +[Learn how to deploy and manage BitLocker within your organization](/windows/device-security/bitlocker/bitlocker-overview). + +### Certificate management + +For Windows 10-based devices, you can use your MDM server to directly deploy client authentication certificates using Personal Information Exchange (PFX), in addition to enrolling using Simple Certificate Enrollment Protocol (SCEP), including certificates to enable Windows Hello for Business in your enterprise. You'll be able to use MDM to enroll, renew, and delete certificates. As in Windows Phone 8.1, you can use the [Certificates app](https://go.microsoft.com/fwlink/p/?LinkId=615824) to review the details of certificates on your device. [Learn how to install digital certificates on Windows 10 Mobile.](/windows/access-protection/installing-digital-certificates-on-windows-10-mobile) + +### Microsoft Passport + +In Windows 10, [Microsoft Passport](/windows/access-protection/hello-for-business/hello-identity-verification) replaces passwords with strong two-factor authentication that consists of an enrolled device and a Windows Hello (biometric) or PIN. + +Microsoft Passport lets users authenticate to a Microsoft account, an Active Directory account, a Microsoft Azure Active Directory (AD) account, or non-Microsoft service that supports Fast ID Online (FIDO) authentication. After an initial two-step verification during Microsoft Passport enrollment, a Microsoft Passport is set up on the user's device and the user sets a gesture, which can be Windows Hello or a PIN. The user provides the gesture to verify identity; Windows then uses Microsoft Passport to authenticate users and help them to access protected resources and services. + +### Security auditing + +In Windows 10, security auditing has added some improvements: +- [New audit subcategories](#bkmk-auditsubcat) +- [More info added to existing audit events](#bkmk-moreinfo) + +#### New audit subcategories + +In Windows 10, two new audit subcategories were added to the Advanced Audit Policy Configuration to provide greater granularity in audit events: +- [Audit Group Membership](/windows/device-security/auditing/audit-group-membership) Found in the Logon/Logoff audit category, the Audit Group Membership subcategory allows you to audit the group membership information in a user's logon token. Events in this subcategory are generated when group memberships are enumerated or queried on the PC where the logon session was created. For an interactive logon, the security audit event is generated on the PC that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the PC hosting the resource. + When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the **Audit Logon** setting under **Advanced Audit Policy Configuration\\System Audit Policies\\Logon/Logoff**. Multiple events are generated if the group membership information cannot fit in a single security audit event. +- [Audit PNP Activity](/windows/device-security/auditing/audit-pnp-activity) Found in the Detailed Tracking category, the Audit PNP Activity subcategory allows you to audit when plug and play detects an external device. + Only Success audits are recorded for this category. If you do not configure this policy setting, no audit event is generated when an external device is detected by plug and play. + A PnP audit event can be used to track down changes in system hardware and will be logged on the PC where the change took place. A list of hardware vendor IDs are included in the event. + +#### More info added to existing audit events + +With Windows 10, version 1507, we've added more info to existing audit events to make it easier for you to put together a full audit trail and come away with the information you need to protect your enterprise. Improvements were made to the following audit events: +- [Changed the kernel default audit policy](#bkmk-kdal) +- [Added a default process SACL to LSASS.exe](#bkmk-lsass) +- [Added new fields in the logon event](#bkmk-logon) +- [Added new fields in the process creation event](#bkmk-logon) +- [Added new Security Account Manager events](#bkmk-sam) +- [Added new BCD events](#bkmk-bcd) +- [Added new PNP events](#bkmk-pnp) + +#### Changed the kernel default audit policy + +In previous releases, the kernel depended on the Local Security Authority (LSA) to retrieve info in some of its events. In Windows 10, the process creation events audit policy is automatically enabled until an actual audit policy is received from LSA. This results in better auditing of services that may start before LSA starts. + +#### Added a default process SACL to LSASS.exe + +In Windows 10, a default process SACL was added to LSASS.exe to log processes attempting to access LSASS.exe. The SACL is L"S:(AU;SAFA;0x0010;;;WD)". You can enable this under **Advanced Audit Policy Configuration\\Object Access\\Audit Kernel Object**. +This can help identify attacks that steal credentials from the memory of a process. + +#### New fields in the logon event + +The logon event ID 4624 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4624: +1. **MachineLogon** String: yes or no + If the account that logged into the PC is a computer account, this field will be yes. Otherwise, the field is no. +2. **ElevatedToken** String: yes or no + If the account that logged into the PC is an administrative logon, this field will be yes. Otherwise, the field is no. Additionally, if this is part of a split token, the linked login ID (LSAP\_LOGON\_SESSION) will also be shown. +3. **TargetOutboundUserName** String + **TargetOutboundUserDomain** String + The username and domain of the identity that was created by the LogonUser method for outbound traffic. +4. **VirtualAccount** String: yes or no + If the account that logged into the PC is a virtual account, this field will be yes. Otherwise, the field is no. +5. **GroupMembership** String + A list of all of the groups in the user's token. +6. **RestrictedAdminMode** String: yes or no + If the user logs into the PC in restricted admin mode with Remote Desktop, this field will be yes. + For more info on restricted admin mode, see [Restricted Admin mode for RDP](http://blogs.technet.com/b/kfalde/archive/2013/08/14/restricted-admin-mode-for-rdp-in-windows-8-1-2012-r2.aspx). + +#### New fields in the process creation event + +The logon event ID 4688 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4688: +1. **TargetUserSid** String + The SID of the target principal. +2. **TargetUserName** String + The account name of the target user. +3. **TargetDomainName** String + The domain of the target user.. +4. **TargetLogonId** String + The logon ID of the target user. +5. **ParentProcessName** String + The name of the creator process. +6. **ParentProcessId** String + A pointer to the actual parent process if it's different from the creator process. + +#### New Security Account Manager events + +In Windows 10, new SAM events were added to cover SAM APIs that perform read/query operations. In previous versions of Windows, only write operations were audited. The new events are event ID 4798 and event ID 4799. The following APIs are now audited: +- SamrEnumerateGroupsInDomain +- SamrEnumerateUsersInDomain +- SamrEnumerateAliasesInDomain +- SamrGetAliasMembership +- SamrLookupNamesInDomain +- SamrLookupIdsInDomain +- SamrQueryInformationUser +- SamrQueryInformationGroup +- SamrQueryInformationUserAlias +- SamrGetMembersInGroup +- SamrGetMembersInAlias +- SamrGetUserDomainPasswordInformation + +#### New BCD events + +Event ID 4826 has been added to track the following changes to the Boot Configuration Database (BCD): +- DEP/NEX settings +- Test signing +- PCAT SB simulation +- Debug +- Boot debug +- Integrity Services +- Disable Winload debugging menu + +#### New PNP events + +Event ID 6416 has been added to track when an external device is detected through Plug and Play. One important scenario is if an external device that contains malware is inserted into a high-value machine that doesn’t expect this type of action, such as a domain controller. + +[Learn how to manage your security audit policies within your organization](/windows/device-security/auditing/security-auditing-overview). + +### Trusted Platform Module + +#### New TPM features in Windows 10 + +The following sections describe the new and changed functionality in the TPM for Windows 10: +- [Device health attestation](#bkmk-dha) +- [Microsoft Passport](/windows/access-protection/hello-for-business/hello-identity-verification) support +- [Device Guard](/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies) support +- [Credential Guard](/windows/access-protection/credential-guard/credential-guard) support + +### Device health attestation + +Device health attestation enables enterprises to establish trust based on hardware and software components of a managed device. With device health attestation, you can configure an MDM server to query a health attestation service that will allow or deny a managed device access to a secure resource. +Some things that you can check on the device are: +- Is Data Execution Prevention supported and enabled? +- Is BitLocker Drive Encryption supported and enabled? +- Is SecureBoot supported and enabled? + +> **Note**  The device must be running Windows 10 and it must support at least TPM 2.0. + +[Learn how to deploy and manage TPM within your organization](/windows/device-security/tpm//trusted-platform-module-overview). + +### User Account Control + +User Account Control (UAC) helps prevent malware from damaging a computer and helps organizations deploy a better-managed desktop environment. + +You should not turn off UAC because this is not a supported scenario for devices running Windows 10. If you do turn off UAC, all Univeral Windows Platform apps stop working. You must always set the **HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA** registry value to 1. If you need to provide auto elevation for programmatic access or installation, you could set the **HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin** registry value to 0, which is the same as setting the UAC slider Never Notify. This is not recommended for devices running Windows 10. + +For more info about how manage UAC, see [UAC Group Policy Settings and Registry Key Settings](/windows/access-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings). + +In Windows 10, User Account Control has added some improvements: + +- **Integration with the Antimalware Scan Interface (AMSI)**. The [AMSI](https://msdn.microsoft.com/library/windows/desktop/dn889587.aspx) scans all UAC elevation requests for malware. If malware is detected, the admin privilege is blocked. + +[Learn how to manage User Account Control within your organization](/windows/access-protection/user-account-control/user-account-control-overview). + +### VPN profile options + +Windows 10 provides a set of VPN features that both increase enterprise security and provide an improved user experience, including: + +- Always-on auto connection behavior +- App=triggered VPN +- VPN traffic filters +- Lock down VPN +- Integration with Microsoft Passport for Work + +[Learn more about the VPN options in Windows 10.](/windows/access-protection/vpn/vpn-profile-options) + + +## Management + +Windows 10 provides mobile device management (MDM) capabilities for PCs, laptops, tablets, and phones that enable enterprise-level management of corporate-owned and personal devices. + +### MDM support + +MDM policies for Windows 10 align with the policies supported in Windows 8.1 and are expanded to address even more enterprise scenarios, such as managing multiple users who have Microsoft Azure Active Directory (Azure AD) accounts, full control over the Microsoft Store, VPN configuration, and more. + +MDM support in Windows 10 is based on [Open Mobile Alliance (OMA)](https://go.microsoft.com/fwlink/p/?LinkId=533885) Device Management (DM) protocol 1.2.1 specification. + +Corporate-owned devices can be enrolled automatically for enterprises using Azure AD. [Reference for Mobile device management for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=533172) + +### Unenrollment + +When a person leaves your organization and you unenroll the user account or device from management, the enterprise-controlled configurations and apps are removed from the device. You can unenroll the device remotely or the person can unenroll by manually removing the account from the device. + +When a personal device is unenrolled, the user's data and apps are untouched, while enterprise information such as certificates, VPN profiles, and enterprise apps are removed. + +### Infrastructure + +Enterprises have the following identity and management choices. + +| Area | Choices | +|---|---| +| Identity | Active Directory; Azure AD | +| Grouping | Domain join; Workgroup; Azure AD join | +| Device management | Group Policy; System Center Configuration Manager; Microsoft Intune; other MDM solutions; Exchange ActiveSync; Windows PowerShell; Windows Management Instrumentation (WMI) | + + > **Note**   +With the release of Windows Server 2012 R2, Network Access Protection (NAP) was deprecated and the NAP client has now been removed in Windows 10. For more information about support lifecycles, see [Microsoft Support Lifecycle](https://go.microsoft.com/fwlink/p/?LinkID=613512). + +  +### Device lockdown + + +Do you need a computer that can only do one thing? For example: + +- A device in the lobby that customers can use to view your product catalog. +- A portable device that drivers can use to check a route on a map. +- A device that a temporary worker uses to enter data. + +You can configure a persistent locked down state to [create a kiosk-type device](https://technet.microsoft.com/itpro/windows/manage/set-up-a-device-for-anyone-to-use). When the locked-down account is logged on, the device displays only the app that you select. + +You can also [configure a lockdown state](https://technet.microsoft.com/itpro/windows/manage/lock-down-windows-10-to-specific-apps) that takes effect when a given user account logs on. The lockdown restricts the user to only the apps that you specify. + +Lockdown settings can also be configured for device look and feel, such as a theme or a [custom layout on the Start screen](https://technet.microsoft.com/itpro/windows/manage/windows-10-start-layout-options-and-policies). + +### Customized Start layout + +A standard, customized Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. Starting in Windows 10, version 1511, administrators can configure a *partial* Start layout, which applies specified tile groups while allowing users to create and customize their own tile groups. Learn how to [customize and export Start layout](/windows/configuration/customize-and-export-start-layout). + +Administrators can also use mobile device management (MDM) or Group Policy to disable the use of [Windows Spotlight on the lock screen](/windows/configuration/windows-spotlight). + +## Updates + +Windows Update for Business enables information technology administrators to keep the Windows 10-based devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Microsoft’s Windows Update service. + +By using [Group Policy Objects](https://go.microsoft.com/fwlink/p/?LinkId=699279), Windows Update for Business is an easily established and implemented system which enables organizations and administrators to exercise control on how their Windows 10-based devices are updated, by allowing: + +- **Deployment and validation groups**; where administrators can specify which devices go first in an update wave, and which devices will come later (to ensure any quality bars are met). + +- **Peer-to-peer delivery**, which administrators can enable to make delivery of updates to branch offices and remote sites with limited bandwidth very efficient. + +- **Use with existing tools** such as System Center Configuration Manager and the [Enterprise Mobility Suite](https://go.microsoft.com/fwlink/p/?LinkId=699281). + +Together, these Windows Update for Business features help reduce device management costs, provide controls over update deployment, offer quicker access to security updates, as well as provide access to the latest innovations from Microsoft on an ongoing basis. Windows Update for Business is a free service for all Windows 10 Pro, Enterprise, and Education editions, and can be used independent of, or in conjunction with, existing device management solutions such as [Windows Server Update Services (WSUS)](https://technet.microsoft.com/library/hh852345.aspx) and [System Center Configuration Manager](https://technet.microsoft.com/library/gg682129.aspx). + + +Learn more about [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb). + +For more information about updating Windows 10, see [Windows 10 servicing options for updates and upgrades](/windows/deployment/update/waas-servicing-strategy-windows-10-updates). + +## Microsoft Edge + +Microsoft Edge takes you beyond just browsing to actively engaging with the web through features like Web Note, Reading View, and Cortana. + +- **Web Note.** Microsoft Edge lets you annotate, highlight, and call things out directly on webpages. +- **Reading view.** Microsoft Edge lets you enjoy and print online articles in a distraction-free layout that's optimized for your screen size. While in reading view, you can also save webpages or PDF files to your reading list, for later viewing. +- **Cortana.** Cortana is automatically enabled on Microsoft Edge. Microsoft Edge lets you highlight words for more info and gives you one-click access to things like restaurant reservations and reviews, without leaving the webpage. +- **Compatibility and security.** Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or that are included on your Enterprise Mode Site List. You must use IE11 to run older, less secure technology, such as ActiveX controls. + +### Enterprise guidance + +Microsoft Edge is the default browser experience for Windows 10 and Windows 10 Mobile. However, if you're running web apps that need ActiveX controls, we recommend that you continue to use Internet Explorer 11 for them. If you don't have IE11 installed anymore, you can download it from the Microsoft Store or from the [Internet Explorer 11 download page](https://go.microsoft.com/fwlink/p/?linkid=290956). + +We also recommend that you upgrade to IE11 if you're running any earlier versions of Internet Explorer. IE11 is supported on Windows 7, Windows 8.1, and Windows 10. So any legacy apps that work with IE11 will continue to work even as you migrate to Windows 10. + +[Learn more about using Microsoft Edge in the enterprise](https://technet.microsoft.com/itpro/microsoft-edge/enterprise-guidance-using-microsoft-edge-and-ie11) + +## See Also + +[Windows 10 Enterprise LTSC](index.md): A description of the LTSC servicing channel with links to information about each release. + diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2016.md b/windows/whats-new/ltsc/whats-new-windows-10-2016.md new file mode 100644 index 0000000000..1058f0c9b3 --- /dev/null +++ b/windows/whats-new/ltsc/whats-new-windows-10-2016.md @@ -0,0 +1,174 @@ +--- +title: What's new in Windows 10 Enterprise 2016 LTSC +description: New and updated IT Pro content about new features in Windows 10 Enterprise 2016 LTSC (also known as Windows 10 Enterprise 2016 LTSB). +keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise 2016 LTSC"] +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: greg-lindsay +ms.localizationpriority: low +--- + +# What's new in Windows 10 Enterprise 2016 LTSC + +**Applies to** +- Windows 10 Enterprise 2016 LTSC + +This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise 2016 LTSC (LTSB), compared to Windows 10 Enterprise 2015 LTSC (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](index.md). + +>[!NOTE] +>Features in Windows 10 Enterprise 2016 LTSC are equivalent to Windows 10, version 1607. + +## Deployment + +### Windows Imaging and Configuration Designer (ICD) + +In previous versions of the Windows 10 Assessment and Deployment Kit (ADK), you had to install additional features for Windows ICD to run. Starting in this version of Windows 10, you can install just the configuration designer component independent of the rest of the imaging components. [Install the ADK.](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) + +Windows ICD now includes simplified workflows for creating provisioning packages: + +- [Simple provisioning to set up common settings for Active Directory-joined devices](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment) +- [Advanced provisioning to deploy certificates and apps](/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates) +- [School provisioning to set up classroom devices for Active Directory](https://technet.microsoft.com/edu/windows/set-up-students-pcs-to-join-domain) + +[Learn more about using provisioning packages in Windows 10.](/windows/configuration/provisioning-packages/provisioning-packages) + +### Windows Upgrade Readiness + +>[!IMPORTANT] +>Upgrade Readiness will not allow you to assess an upgrade to an LTSC release (LTSC builds are not available as target versions). However, you can enroll devices running LTSC to plan for an upgrade to a semi-annual channel release. + +Microsoft developed Upgrade Readiness in response to demand from enterprise customers looking for additional direction and details about upgrading to Windows 10. Upgrade Readiness was built taking into account multiple channels of customer feedback, testing, and Microsoft’s experience upgrading millions of devices to Windows 10. + +With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. + +Use Upgrade Readiness to get: + +- A visual workflow that guides you from pilot to production +- Detailed computer and application inventory +- Powerful computer level search and drill-downs +- Guidance and insights into application and driver compatibility issues, with suggested fixes +- Data driven application rationalization tools +- Application usage information, allowing targeted validation; workflow to track validation progress and decisions +- Data export to commonly used software deployment tools + +The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are upgrade-ready. + +[Learn more about planning and managing Windows upgrades with Windows Upgrade Readiness.](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness) + +## Security + +### Credential Guard and Device Guard + +Isolated User Mode is now included with Hyper-V so you don't have to install it separately. + +### Windows Hello for Business + +When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name in this version of Windows 10. Customers who have already deployed Microsoft Passport for Work will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics. + +Additional changes for Windows Hello in Windows 10 Enterprise 2016 LTSC: + +- Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys. +- Group Policy settings for managing Windows Hello for Business are now available for both **User Configuration** and **Computer Configuration**. +- Beginning in this version of Windows 10, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN, enable the Group Policy setting **Turn on convenience PIN sign-in**. + + +[Learn more about Windows Hello for Business.](/windows/access-protection/hello-for-business/hello-identity-verification) + +### Bitlocker + +#### New Bitlocker features + +- **XTS-AES encryption algorithm**. BitLocker now supports the XTS-AES encryption algorithm. XTS-AES provides additional protection from a class of attacks on encryption that rely on manipulating cipher text to cause predictable changes in plain text. BitLocker supports both 128-bit and 256-bit XTS-AES keys. + It provides the following benefits: + - The algorithm is FIPS-compliant. + - Easy to administer. You can use the BitLocker Wizard, manage-bde, Group Policy, MDM policy, Windows PowerShell, or WMI to manage it on devices in your organization. + >**Note:**  Drives encrypted with XTS-AES will not be accessible on older version of Windows. This is only recommended for fixed and operating system drives. Removable drives should continue to use the AES-CBC 128-bit or AES-CBC 256-bit algorithms. + +### Security auditing + +#### New Security auditing features + +- The [WindowsSecurityAuditing](https://go.microsoft.com/fwlink/p/?LinkId=690517) and [Reporting](https://go.microsoft.com/fwlink/p/?LinkId=690525) configuration service providers allow you to add security audit policies to mobile devices. + +### Trusted Platform Module + +#### New TPM features + +- Key Storage Providers (KSPs) and srvcrypt support elliptical curve cryptography (ECC). + +### Windows Information Protection (WIP), formerly known as enterprise data protection (EDP) + +With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage. + +Windows Information Protection (WIP) helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps. + +- [Create a Windows Information Protection (WIP) policy](https://technet.microsoft.com/itpro/windows/keep-secure/overview-create-wip-policy) +- [General guidance and best practices for Windows Information Protection (WIP)](https://technet.microsoft.com/itpro/windows/keep-secure/guidance-and-best-practices-wip) + +[Learn more about Windows Information Protection (WIP)](https://technet.microsoft.com/itpro/windows/keep-secure/protect-enterprise-data-using-wip) + +### Windows Defender + +Several new features and management options have been added to Windows Defender in this version of Windows 10. + +- [Windows Defender Offline in Windows 10](/windows/threat-protection/windows-defender-antivirus/windows-defender-offline) can be run directly from within Windows, without having to create bootable media. +- [Use PowerShell cmdlets for Windows Defender](/windows/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus) to configure options and run scans. +- [Enable the Block at First Sight feature in Windows 10](/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus) to leverage the Windows Defender cloud for near-instant protection against new malware. +- [Configure enhanced notifications for Windows Defender in Windows 10](/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus) to see more information about threat detections and removal. +- [Run a Windows Defender scan from the command line](/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus). +- [Detect and block Potentially Unwanted Applications with Windows Defender](/windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus) during download and install times. + +### Windows Defender Advanced Threat Protection (ATP) + +With the growing threat from more sophisticated targeted attacks, a new security solution is imperative in securing an increasingly complex network ecosystem. Windows Defender Advanced Threat Protection (Windows Defender ATP) is a security service, built into Windows 10 that enables enterprise customers detect, investigate, and respond to advanced threats on their networks. + +[Learn more about Windows Defender Advanced Threat Protection (ATP)](/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection). + +### VPN security + +- The VPN client can integrate with the Conditional Access Framework, a cloud-based policy engine built into Azure Active Directory, to provide a device compliance option for remote clients. +- The VPN client can integrate with Windows Information Protection (WIP) policy to provide additional security. [Learn more about Windows Information Protection](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip), previously known as Enterprise Data Protection. +- New VPNv2 configuration service provider (CSP) adds configuration settings. For details, see [What's new in MDM enrollment and management](https://msdn.microsoft.com/library/windows/hardware/mt299056%28v=vs.85%29.aspx#whatsnew_1607) +- Microsoft Intune: *VPN Profile (Windows 10 Desktop and Mobile and later)* policy template includes support for native VPN plug-ins. + +## Management + +### Use Remote Desktop Connection for PCs joined to Azure Active Directory + +From its release, Windows 10 has supported remote connections to PCs that are joined to Active Directory. Starting in this version of Windows 10, you can also connect to a remote PC that is joined to Azure Active Directory (Azure AD). [Learn about the requirements and supported configurations.](/windows/client-management/connect-to-remote-aadj-pc) + +### Taskbar configuration + +Enterprise administrators can add and remove pinned apps from the taskbar. Users can pin apps, unpin apps, and change the order of pinned apps on the taskbar after the enterprise configuration is applied. [Learn how to configure the taskbar.](/windows/configuration/windows-10-start-layout-options-and-policies) + +### Mobile device management and configuration service providers (CSPs) + +Numerous settings have been added to the Windows 10 CSPs to expand MDM capabilities for managing devices. To learn more about the specific changes in MDM policies for this version of Windows 10, see [What's new in MDM enrollment and management](https://msdn.microsoft.com/library/windows/hardware/mt299056%28v=vs.85%29.aspx#whatsnew_1607). + +### Shared PC mode + +This version of Windows 10, introduces shared PC mode, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. You can apply shared PC mode to Windows 10 Pro, Education, and Enterprise. [Learn how to set up a shared or guest PC.](/windows/configuration/set-up-shared-or-guest-pc) + +### Application Virtualization (App-V) for Windows 10 + +Application Virtualization (App-V) enables organizations to deliver Win32 applications to users as virtual applications. Virtual applications are installed on centrally managed servers and delivered to users as a service – in real time and on as as-needed basis. Users launch virtual applications from familiar access points, including the Microsoft Store, and interact with them as if they were installed locally. + +With the release of this version of Windows 10, App-V is included with the Windows 10 for Enterprise edition. If you are new to Windows 10 and App-V or if you're upgrading from a previous version of App-V, you’ll need to download, activate, and install server- and client-side components to start delivering virtual applications to users. + +[Learn how to deliver virtual applications with App-V.](/windows/application-management/app-v/appv-getting-started) + +### User Experience Virtualization (UE-V) for Windows 10 + +Many users customize their settings for Windows and for specific applications. Customizable Windows settings include Microsoft Store appearance, language, background picture, font size, and accent colors. Customizable application settings include language, appearance, behavior, and user interface options. + +With User Experience Virtualization (UE-V), you can capture user-customized Windows and application settings and store them on a centrally managed network file share. When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to. + +With the release of this version of Windows 10, UE-V is included with the Windows 10 for Enterprise edition. If you are new to Windows 10 and UE-V or upgrading from a previous version of UE-V, you’ll need to download, activate, and install server- and client-side components to start synchronizing user-customized settings across devices. + +[Learn how to synchronize user-customized settings with UE-V.](/windows/configuration/ue-v/uev-for-windows) + +## See Also + +[Windows 10 Enterprise LTSC](index.md): A description of the LTSC servicing channel with links to information about each release. + diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md new file mode 100644 index 0000000000..e05f864f1b --- /dev/null +++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md @@ -0,0 +1,694 @@ +--- +title: What's new in Windows 10 Enterprise 2019 LTSC +description: New and updated IT Pro content about new features in Windows 10 Enterprise 2019 LTSC (also known as Windows 10 Enterprise 2019 LTSB). +keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise 2019 LTSC"] +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: greg-lindsay +ms.localizationpriority: low +--- + +# What's new in Windows 10 Enterprise 2019 LTSC + +**Applies to** +- Windows 10 Enterprise 2019 LTSC + +This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise 2019 LTSC, compared to Windows 10 Enterprise 2016 LTSC (LTSB). For a brief description of the LTSC servicing channel and associated support, see [Windows 10 Enterprise LTSC](index.md). + +>[!NOTE] +>Features in Windows 10 Enterprise 2019 LTSC are equivalent to Windows 10, version 1809. + +Windows 10 Enterprise LTSC 2019 builds on Windows 10 Pro, version 1809 adding premium features designed to address the needs of large and mid-size organizations (including large academic institutions), such as: + - Advanced protection against modern security threats + - Full flexibility of OS deployment + - Updating and support options + - Comprehensive device and app management and control capabilities + +The Windows 10 Enterprise LTSC 2019 release is an important release for LTSC users because it includes the cumulative enhancements provided in Windows 10 versions 1703, 1709, 1803, and 1809. Details about these enhancements are provided below. + +>[!IMPORTANT] +>The LTSC release is [intended for special use devices](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181). Support for LTSC by apps and tools that are designed for the semi-annual channel release of Windows 10 might be limited. + +## Security + +This version of Window 10 includes security improvements for threat protection, information protection, and identity protection. + +### Threat protection + +#### Windows Defender ATP + +The Windows Defender Advanced Threat Protection ([Windows Defender ATP](/windows/security/threat-protection/index)) platform inludes the security pillars shown in the following diagram. In this version of Windows, Windows Defender ATP includes powerful analytics, security stack integration, and centralized management for better detection, prevention, investigation, response, and management. + +![Windows Defender ATP](../images/wdatp.png) + +##### Attack surface reduction + +Attack surface reduction includes host-based intrusion prevention systems such as [controlled folder access](/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard). + - This feature can help prevent ransomware and other destructive malware from changing your personal files. In some cases, apps that you normally use might be blocked from making changes to common folders like **Documents** and **Pictures**. We’ve made it easier for you to add apps that were recently blocked so you can keep using your device without turning off the feature altogether. + - When an app is blocked, it will appear in a recently blocked apps list, which you can get to by clicking **Manage settings** under the **Ransomware protection** heading. Click **Allow an app through Controlled folder access**. After the prompt, click the **+** button and choose **Recently blocked apps**. Select any of the apps to add them to the allowed list. You can also browse for an app from this page. + +###### Windows Defender Firewall + +Windows Defender Firewall now supports Windows Subsystem for Linux (WSL) processes. You can add specific rules for a WSL process just as you would for any Windows process. Also, Windows Defender Firewall now supports notifications for WSL processes. For example, when a Linux tool wants to allow access to a port from the outside (like SSH or a web server like nginx), Windows Defender Firewall will prompt to allow access just like it would for a Windows process when the port starts accepting connections. This was first introduced in [Build 17627](https://docs.microsoft.com/windows/wsl/release-notes#build-17618-skip-ahead). + +###### Windows Defender Application Guard + +Windows Defender Application Guard hardens a favorite attacker entry-point by isolating malware and other threats away from your data, apps, and infrastructure. For more information, see [Windows Defender Application Guard overview](https://docs.microsoft.com/windows/threat-protection/windows-defender-application-guard/wd-app-guard-overview). + +Windows Defender Application Guard has support for Edge and has extensions for Chrome and Firefox. For more information, see [System requirements for Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard#software-requirements) + +Windows Defender Application Guard (WDAG) introduced a new user interface inside **Windows Security** in this release. Standalone users can now install and configure their Windows Defender Application Guard settings in Windows Security Center. + +Additionally, users who are managed by enterprise policies will be able to check their settings to see what their administrators have configured for their machines to better understand the behavior of Windows Defender Application Guard. This new UI improves the overall experience for users while managing and checking their Windows Defender Application Guard settings. As long as devices meet the minimum requirements, these settings will appear in Windows Security. For more information, see [Windows Defender Application Guard inside Windows Security App](https://techcommunity.microsoft.com/t5/Windows-Insider-Program/test/m-p/214102#M1709). + +To try this: + +1. Go to **Windows Security** and select **App & browser control**. +2. Under **Isolated browsing**, select **Install Windows Defender Application Guard**, then install and restart the device. +3. Select **Change Application Guard** settings. +4. Configure or check Application Guard settings. + +See the following example: + +![Security at a glance](../images/1_AppBrowser.png "app and browser control") +![Isolated browser](../images/2_InstallWDAG.png "isolated browsing") +![change WDAG settings](../images/3_ChangeSettings.png "change settings") +![view WDAG settings](../images/4_ViewSettings.jpg "view settings") + +##### Windows Defender Device Guard + +[Device Guard](/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control) has always been a collection of technologies that can be combined to lock down a PC, including: +- Software-based protection provided by code integrity policies +- Hardware-based protection provided by Hypervisor-protected code integrity (HVCI) + +But these protections can also be configured separately. And, unlike HVCI, code integrity policies do not require virtualization-based security (VBS). To help underscore the distinct value of these protections, code integrity policies have been rebranded as [Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control). + +### Next-gen protection + +#### Office 365 Ransomware Detection + +For Office 365 Home and Office 365 Personal subscribers, Ransomware Detection notifies you when your OneDrive files have been attacked and guides you through the process of restoring your files. For more information, see [Ransomware detection and recovering your files](https://support.office.com/en-us/article/ransomware-detection-and-recovering-your-files-0d90ec50-6bfd-40f4-acc7-b8c12c73637f?ui=en-US&rs=en-US&ad=US) + +### Endpoint detection and response + +Endpoint detection and response is improved. Enterprise customers can now take advantage of the entire Windows security stack with Windows Defender Antivirus **detections** and Device Guard **blocks** being surfaced in the Windows Defender ATP portal. + + Windows Defender is now called Windows Defender Antivirus and now shares detection status between M365 services and interoperates with Windows Defender ATP. Additional policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Windows Defender Antivirus through cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus). + + We've also [increased the breadth of the documentation library for enterprise security admins](/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10). The new library includes information on: + - [Deploying and enabling AV protection](/windows/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus) + - [Managing updates](/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus) + - [Reporting](/windows/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus) + - [Configuring features](/windows/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features) + - [Troubleshooting](/windows/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus) + + Some of the highlights of the new library include [Evaluation guide for Windows Defender AV](/windows/threat-protection/windows-defender-antivirus//evaluate-windows-defender-antivirus) and [Deployment guide for Windows Defender AV in a virtual desktop infrastructure environment](/windows/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus). + + New features for Windows Defender AV in Windows 10 Enterprise 2019 LTSC include: + - [Updates to how the Block at First Sight feature can be configured](/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus) + - [The ability to specify the level of cloud-protection](/windows/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus) + - [Windows Defender Antivirus protection in the Windows Defender Security Center app](/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus) + + We've [invested heavily in helping to protect against ransomware](https://blogs.windows.com/business/2016/11/11/defending-against-ransomware-with-windows-10-anniversary-update/#UJlHc6SZ2Zm44jCt.97), and we continue that investment with [updated behavior monitoring and always-on real-time protection](/windows/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus). + + **Endpoint detection and response** is also enhanced. New **detection** capabilities include: + - [Use the threat intelligence API to create custom alerts](/windows/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection) - Understand threat intelligence concepts, enable the threat intel application, and create custom threat intelligence alerts for your organization. + - [Custom detection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-custom-detections). With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules. + - Improvements on OS memory and kernel sensors to enable detection of attackers who are using in-memory and kernel-level attacks. + - Upgraded detections of ransomware and other advanced attacks. + - Historical detection capability ensures new detection rules apply to up to six months of stored data to detect previous attacks that might not have been noticed. + + **Threat reponse** is improved when an attack is detected, enabling immediate action by security teams to contain a breach: + - [Take response actions on a machine](/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by isolating machines or collecting an investigation package. + - [Take response actions on a file](/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by stopping and quarantining files or blocking a file. + +Additional capabilities have been added to help you gain a holistic view on **investigations** include: + - [Threat analytics](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-analytics) - Threat Analytics is a set of interactive reports published by the Windows Defender ATP research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats. + - [Query data using Advanced hunting in Windows Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection) + - [Use Automated investigations to investigate and remediate threats](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection) + - [Investigate a user account](/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection) - Identify user accounts with the most active alerts and investigate cases of potential compromised credentials. + - [Alert process tree](/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection#alert-process-tree) - Aggregates multiple detections and related events into a single view to reduce case resolution time. + - [Pull alerts using REST API](/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection) - Use REST API to pull alerts from Windows Defender ATP. + +Other enhanced security features include: +- [Check sensor health state](/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection) - Check an endpoint's ability to provide sensor data and communicate with the Windows Defender ATP service and fix known issues. +- [Managed security service provider (MSSP) support](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection) - Windows Defender ATP adds support for this scenario by providing MSSP integration. The integration will allow MSSPs to take the following actions: Get access to MSSP customer's Windows Defender Security Center portal, fetch email notifications, and fetch alerts through security information and event management (SIEM) tools. +- [Integration with Azure Security Center](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#integration-with-azure-security-center) - Windows Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Windows Defender ATP to provide improved threat detection for Windows Servers. +- [Integration with Microsoft Cloud App Security](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration) - Microsoft Cloud App Security leverages Windows Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Windows Defender ATP monitored machines. +- [Onboard Windows Server 2019](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#windows-server-version-1803-and-windows-server-2019) - Windows Defender ATP now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines. +- [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection) - Onboard supported versions of Windows machines so that they can send sensor data to the Windows Defender ATP sensor. +- [Enable conditional access to better protect users, devices, and data](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection) + +We've also added a new assessment for the Windows time service to the **Device performance & health** section. If we detect that your device’s time is not properly synced with our time servers and the time-syncing service is disabled, we’ll provide the option for you to turn it back on. + +We’re continuing to work on how other security apps you’ve installed show up in the **Windows Security** app. There’s a new page called **Security providers** that you can find in the **Settings** section of the app. Click **Manage providers** to see a list of all the other security providers (including antivirus, firewall, and web protection) that are running on your device. Here you can easily open the providers’ apps or get more information on how to resolve issues reported to you through **Windows Security**. + +This also means you’ll see more links to other security apps within **Windows Security**. For example, if you open the **Firewall & network protection** section, you’ll see the firewall apps that are running on your device under each firewall type, which includes domain, private, and public networks). + +You can read more about ransomware mitigations and detection capability at: +- [Averting ransomware epidemics in corporate networks with Windows Defender ATP](https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/) +- [Ransomware Protection in Windows 10 Anniversary Update whitepaper (PDF)](http://wincom.blob.core.windows.net/documents/Ransomware_protection_in_Windows_10_Anniversary_Update.pdf) +- [Microsoft Malware Protection Center blog](https://blogs.technet.microsoft.com/mmpc/category/research/ransomware/) + +Also see [New capabilities of Windows Defender ATP further maximizing the effectiveness and robustness of endpoint security](https://blogs.windows.com/business/2018/04/17/new-capabilities-of-windows-defender-atp-further-maximizing-the-effectiveness-and-robustness-of-endpoint-security/#62FUJ3LuMXLQidVE.97) + +Get a quick, but in-depth overview of Windows Defender ATP for Windows 10: [Windows Defender Advanced Threat Protection](/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection). + +For more information about features of Windows Defender ATP available in different editions of Windows 10, see the [Windows 10 commercial edition comparison](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf). + +### Information protection + +Improvements have been added to Windows Information Protection and BitLocker. + +#### Windows Information Protection + +Windows Information Protection is now designed to work with Microsoft Office and Azure Information Protection. For more information, see [Deploying and managing Windows Information Protection (WIP) with Azure Information Protection](https://myignite.microsoft.com/sessions/53660?source=sessions). + +Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. For more info, see [Create a Windows Information Protection (WIP) policy using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune) and [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune). + +You can also now collect your audit event logs by using the Reporting configuration service provider (CSP) or the Windows Event Forwarding (for Windows desktop domain-joined devices). For info, see the brand-new topic, [How to collect Windows Information Protection (WIP) audit event logs](/windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs). + +This release enables support for WIP with Files on Demand, allows file encryption while the file is open in another app, and improves performance. For more information, see [OneDrive Files On-Demand For The Enterprise](https://techcommunity.microsoft.com/t5/OneDrive-Blog/OneDrive-Files-On-Demand-For-The-Enterprise/ba-p/117234). + +### BitLocker + +The minimum PIN length is being changed from 6 to 4, with a default of 6. For more information, see [BitLocker Group Policy settings](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-group-policy-settings#bkmk-unlockpol3). + +#### Delivering BitLocker policy to AutoPilot devices during OOBE + +You can choose which encryption algorithm to apply automatic BitLocker encryption to capable devices, rather than automatically having those devices encrypt themselves with the default algorithm. This allows the encryption algorithm (and other BitLocker policies that must be applied prior to encryption), to be delivered before automatic BitLocker encryption begins. + +For example, you can choose the XTS-AES 256 encryption algorithm, and have it applied to devices that would normally encrypt themselves automatically with the default XTS-AES 128 algorithm during OOBE. + +#### Silent enforcement on fixed drives + +Through a Modern Device Management (MDM) policy, BitLocker can be enabled silently for standard Azure Active Directory (AAD) joined users. In Windows 10, version 1803 automatic BitLocker encryption was enabled for standard AAD users, but this still required modern hardware that passed the Hardware Security Test Interface (HSTI). This new functionality enables BitLocker via policy even on devices that don’t pass the HSTI. + +This is an update to the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp), which was introduced in Windows 10, version 1703, and leveraged by Intune and others. + +This feature will soon be enabled on Olympia Corp as an optional feature. + +### Identity protection + +Improvements have been added are to Windows Hello for Business and Credential Guard. + +#### Windows Hello for Business + +New features in Windows Hello enable a better device lock experience, using multifactor unlock with new location and user proximity signals. Using Bluetooth signals, you can configure your Windows 10 device to automatically lock when you walk away from it, or to prevent others from accessing the device when you are not present. + +New features in [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification.md) inlcude: +- You can now reset a forgotten PIN without deleting company managed data or apps on devices managed by [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune). +- For Windows Phone devices, an administrator is able to initiate a remote PIN reset through the Intune portal. +- For Windows desktops, users are able to reset a forgotten PIN through **Settings > Accounts > Sign-in options**. For more details, check out [What if I forget my PIN?](/windows/security/identity-protection/hello-for-business/hello-features#pin-reset). + +[Windows Hello](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-features) now supports FIDO 2.0 authentication for Azure AD Joined Windows 10 devices and has enhanced support for shared devices, as described in the [Kiosk configuration](#kiosk-configuration) section. +- Windows Hello is now [password-less on S-mode](https://www.windowslatest.com/2018/02/12/microsoft-make-windows-10-password-less-platform/). +- Support for S/MIME with Windows Hello for Business and APIs for non-Microsoft identity lifecycle management solutions. +- Windows Hello is part of the account protection pillar in Windows Defender Security Center. Account Protection will encourage password users to set up Windows Hello Face, Fingerprint or PIN for faster sign in, and will notify Dynamic lock users if Dynamic lock has stopped working because their phone or device Bluetooth is off. +- You can set up Windows Hello from lock screen for MSA accounts. We’ve made it easier for Microsoft account users to set up Windows Hello on their devices for faster and more secure sign-in. Previously, you had to navigate deep into Settings to find Windows Hello. Now, you can set up Windows Hello Face, Fingerprint or PIN straight from your lock screen by clicking the Windows Hello tile under Sign-in options. +- New [public API](https://docs.microsoft.com/uwp/api/windows.security.authentication.web.core.webauthenticationcoremanager.findallaccountsasync#Windows_Security_Authentication_Web_Core_WebAuthenticationCoreManager_FindAllAccountsAsync_Windows_Security_Credentials_WebAccountProvider_) for secondary account SSO for a particular identity provider. +- It is easier to set up Dynamic lock, and WD SC actionable alerts have been added when Dynamic lock stops working (ex: phone Bluetooth is off). + +For more information, see: [Windows Hello and FIDO2 Security Keys enable secure and easy authentication for shared devices](https://blogs.windows.com/business/2018/04/17/windows-hello-fido2-security-keys/#OdKBg3pwJQcEKCbJ.97) + +#### Windows Defender Credential Guard + +Windows Defender Credential Guard is a security service in Windows 10 built to protect Active Directory (AD) domain credentials so that they can't be stolen or misused by malware on a user's machine. It is designed to protect against well-known threats such as Pass-the-Hash and credential harvesting. + +Windows Defender Credential Guard has always been an optional feature, but Windows 10 in S mode turns this functionality on by default when the machine has been Azure Active Directory joined. This provides an added level of security when connecting to domain resources not normally present on devices running Windows 10 in S mode. Please note that Windows Defender Credential Guard is available only to S mode devices or Enterprise and Education Editions. + +For more information, see [Credential Guard Security Considerations](/windows/access-protection/credential-guard/credential-guard-requirements#security-considerations). + +### Other security improvments + +#### Windows security baselines + +Microsoft has released new [Windows security baselines](https://docs.microsoft.com/windows/device-security/windows-security-baselines) for Windows Server and Windows 10. A security baseline is a group of Microsoft-recommended configuration settings with an explanation of their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](https://docs.microsoft.com/windows/device-security/security-compliance-toolkit-10). + +**Windows security baselines** have been updated for Windows 10. A [security baseline](https://docs.microsoft.com/windows/device-security/windows-security-baselines) is a group of Microsoft-recommended configuration settings and explains their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](https://docs.microsoft.com/windows/device-security/security-compliance-toolkit-10). + +The new [security baseline for Windows 10 version 1803](https://docs.microsoft.com/windows/security/threat-protection/security-compliance-toolkit-10) has been published. + +#### SMBLoris vulnerability + +An issue, known as “SMBLoris�?, which could result in denial of service, has been addressed. + +#### Windows Security Center + +Windows Defender Security Center is now called **Windows Security Center**. + +You can still get to the app in all the usual ways – simply ask Cortana to open Windows Security Center(WSC) or interact with the taskbar icon. WSC lets you manage all your security needs, including **Windows Defender Antivirus** and **Windows Defender Firewall**. + +The WSC service now requires antivirus products to run as a protected process to register. Products that have not yet implemented this will not appear in the Windows Security Center user interface, and Windows Defender Antivirus will remain enabled side-by-side with these products. + +WSC now includes the Fluent Design System elements you know and love. You’ll also notice we’ve adjusted the spacing and padding around the app. It will now dynamically size the categories on the main page if more room is needed for extra info. We also updated the title bar so that it will use your accent color if you have enabled that option in **Color Settings**. + +![alt text](../images/defender.png "Windows Security Center") + +#### Group Policy Security Options + +The security setting [**Interactive logon: Display user information when the session is locked**](/windows/device-security/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked) has been updated to work in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. + +A new security policy setting +[**Interactive logon: Don't display username at sign-in**](/windows/device-security/security-policy-settings/interactive-logon-dont-display-username-at-sign-in) has been introduced in Windows 10 Enterprise 2019 LTSC. This security policy setting determines whether the username is displayed during sign in. It works in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. The setting only affects the **Other user** tile. + +#### Windows 10 in S mode + +We’ve continued to work on the **Current threats** area in [Virus & threat protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection), which now displays all threats that need action. You can quickly take action on threats from this screen: + +![Virus & threat protection settings](../images/virus-and-threat-protection.png "Virus & threat protection settings") + +## Sign-in + +### Faster sign-in to a Windows 10 shared pc + +If you have shared devices deployed in your work place, **Fast sign-in** enables users to sign in to a [shared Windows 10 PC](/windows/configuration/set-up-shared-or-guest-pc.md) in a flash! + +**To enable fast sign-in:** +1. Set up a shared or guest device with Windows 10, version 1809 or Windows 10 Enterprise 2019 LTSC. +2. Set the Policy CSP, and the **Authentication** and **EnableFastFirstSignIn** policies to enable fast sign-in. +3. Sign-in to a shared PC with your account. You'll notice the difference! + + ![fast sign-in](../images/fastsignin.png "fast sign-in") + +### Web sign-in to Windows 10 + +Until now, Windows logon only supported the use of identities federated to ADFS or other providers that support the WS-Fed protocol. We are introducing “web sign-in,” a new way of signing into your Windows PC. Web Sign-in enables Windows logon support for non-ADFS federated providers (e.g.SAML). + +**To try out web sign-in:** +1. Azure AD Join your Windows 10 PC. (Web sign-in is only supported on Azure AD Joined PCs). +2. Set the Policy CSP, and the Authentication and EnableWebSignIn polices to enable web sign-in. +3. On the lock screen, select web sign-in under sign-in options. +4. Click the “Sign in” button to continue. + +![Web sign-in](../images/websignin.png "web sign-in") + +## Deployment + +### MBR2GPT.EXE + +MBR2GPT.EXE is a new command-line tool introduced with Windows 10, version 1703 and also available in Windows 10 Enterprise 2019 LTSC (and later versions). MBR2GPT converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS). + +The GPT partition format is newer and enables the use of larger and more disk partitions. It also provides added data reliability, supports additional partition types, and enables faster boot and shutdown speeds. If you convert the system disk on a computer from MBR to GPT, you must also configure the computer to boot in UEFI mode, so make sure that your device supports UEFI before attempting to convert the system disk. + +Additional security features of Windows 10 that are enabled when you boot in UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock. + +For details, see [MBR2GPT.EXE](/windows/deployment/mbr-to-gpt). + +### Windows Autopilot + +Information about Windows Autopilot support for LTSC 2019 is pending. + +### DISM + +The following new DISM commands have been added to manage feature updates: + + DISM /Online /Initiate-OSUninstall + – Initiates a OS uninstall to take the computer back to the previous installation of windows. + DISM /Online /Remove-OSUninstall + – Removes the OS uninstall capability from the computer. + DISM /Online /Get-OSUninstallWindow + – Displays the number of days after upgrade during which uninstall can be performed. + DISM /Online /Set-OSUninstallWindow + – Sets the number of days after upgrade during which uninstall can be performed. + +For more information, see [DISM operating system uninstall command-line options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/dism-uninstallos-command-line-options). + +### Windows Setup + +You can now run your own custom actions or scripts in parallel with Windows Setup. Setup will also migrate your scripts to next feature release, so you only need to add them once. + +Prerequisites: +- Windows 10, version 1803 or Windows 10 Enterprise 2019 LTSC, or later. +- Windows 10 Enterprise or Pro + +For more information, see [Run custom actions during feature update](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions). + +It is also now possible to run a script if the user rolls back their version of Windows using the PostRollback option. + + /PostRollback [\setuprollback.cmd] [/postrollback {system / admin}] + +For more information, see [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options#21) + +New command-line switches are also available to control BitLocker: + + Setup.exe /BitLocker AlwaysSuspend + – Always suspend bitlocker during upgrade. + Setup.exe /BitLocker TryKeepActive + – Enable upgrade without suspending bitlocker but if upgrade, does not work then suspend bitlocker and complete the upgrade. + Setup.exe /BitLocker ForceKeepActive + – Enable upgrade without suspending bitlocker, but if upgrade does not work, fail the upgrade. + +For more information, see [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options#33) + +### Feature update improvements + +Portions of the work done during the offline phases of a Windows update have been moved to the online phase. This has resulted in a significant reduction of offline time when installing updates. For more information, see [We're listening to you](https://insider.windows.com/en-us/articles/were-listening-to-you/). + +### SetupDiag + +[SetupDiag](https://docs.microsoft.com/windows/deployment/upgrade/setupdiag) is a new command-line tool that can help diagnose why a Windows 10 update failed. + +SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available. + +## Windows Analytics + +### Upgrade Readiness + +>[!IMPORTANT] +>Upgrade Readiness will not allow you to assess an upgrade to an LTSC release (LTSC builds are not available as target versions). However, you can enroll devices running LTSC to plan for an upgrade to a semi-annual channel release. + +Upgrade Readiness helps you ensure that applications and drivers are ready for a Windows 10 upgrade. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details. The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017. + +The development of Upgrade Readiness has been heavily influenced by input from the community the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled. + +For more information about Upgrade Readiness, see the following topics: + +- [Windows Analytics blog](https://blogs.technet.microsoft.com/upgradeanalytics/) +- [Manage Windows upgrades with Upgrade Readiness](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness) + +Upgrade Readiness provides insights into application and driver compatibility issues. New capabilities include better app coverage, post-upgrade health reports, and enhanced report filtering capabilities. For more information, see [Manage Windows upgrades with Upgrade Readiness](https://docs.microsoft.com/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness). + +### Update Compliance + +Update Compliance helps you to keep Windows 10 devices in your organization secure and up-to-date. + +Update Compliance is a solution built using OMS Log Analytics that provides information about installation status of monthly quality and feature updates. Details are provided about the deployment progress of existing updates and the status of future updates. Information is also provided about devices that might need attention to resolve issues. + +For more information about Update Compliance, see [Monitor Windows Updates with Update Compliance](/windows/deployment/update/update-compliance-monitor). + +New capabilities in Update Compliance let you monitor Windows Defender protection status, compare compliance with industry peers, and optimize bandwidth for deploying updates. For more information, see [Monitor Windows Updates and Windows Defender Antivirus with Update Compliance](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor). + +### Device Health + +Maintaining devices is made easier with Device Health, a new, premium analytic tool that identifies devices and drivers that crash frequently and might need to be rebuilt or replaced. For more information, see [Monitor the health of devices with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-monitor). + +## Accessibility and Privacy + +### Accessibility + +"Out of box" accessibility is enhanced with auto-generated picture descriptions. For more information about accessibility, see [Accessibility information for IT Professionals](https://docs.microsoft.com/windows/configuration/windows-10-accessibility-for-itpros). Also see the accessibility section in the [What’s new in the Windows 10 April 2018 Update](https://blogs.windows.com/windowsexperience/2018/04/30/whats-new-in-the-windows-10-april-2018-update/) blog post. + +### Privacy + +In the Feedback and Settings page under Privacy Settings you can now delete the diagnostic data your device has sent to Microsoft. You can also view this diagnostic data using the [Diagnostic Data Viewer](https://docs.microsoft.com/windows/configuration/diagnostic-data-viewer-overview) app. + +## Configuration + +### Kiosk Configuration + +We introduced a simplified assigned access configuration experience in **Settings** that allows device administrators to easily set up a PC as a kiosk or digital sign. A wizard experience walks you through kiosk setup including creating a kiosk account that will automatically sign in when a device starts. + +To use this feature, go to **Settings**, search for **assigned access**, and open the **Set up a kiosk** page. + +![set up a kiosk](../images/kiosk-mode.png "set up a kiosk") + +Microsoft Edge kiosk mode running in single-app assigned access has two kiosk types. + +1. **Digital / Interactive signage** that displays a specific website full-screen and runs InPrivate mode. +2. **Public browsing** supports multi-tab browsing and runs InPrivate mode with minimal features available. Users cannot minimize, close, or open new Microsoft Edge windows or customize them using Microsoft Edge Settings. Users can clear browsing data and downloads, and restart Microsoft Edge by clicking **End session**. Administrators can configure Microsoft Edge to restart after a period of inactivity. + +![single app assigned access](../images/SingleApp_contosoHotel_inFrame@2x.png "single app assigned access") + +Microsoft Edge kiosk mode running in multi-app assigned access has two kiosk types. + +>[!NOTE] +>The following Microsoft Edge kiosk mode types cannot be setup using the new simplified assigned access configuration wizard in Windows 10 Settings. + +1. **Public browsing** supports multi-tab browsing and runs InPrivate mode with minimal features available. In this configuration, Microsoft Edge can be one of many apps available. Users can close and open multiple InPrivate mode windows. + +![multi-app assigned access](../images/Multi-app_kiosk_inFrame.png "multi-app assigned access") + +2. **Normal mode** runs a full version of Microsoft Edge, although some features may not work depending on what apps are configured in assigned access. For example, if the Microsoft Store is not set up, users cannot get books. + +![normal mode](../images/Normal_inFrame.png "normal mode") + +Learn more about [Microsoft Edge kiosk mode](https://docs.microsoft.com/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy). + +The AssignedAccess CSP has been expanded to make it easy for administrators to create kiosks that run more than one app. You can configure multi-app kiosks using a provisioning package. For more information, see [Create a Windows 10 kiosk that runs multiple apps](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps). + +### Windows 10 kiosk and Kiosk Browser + +With this release you can easily deploy and manage kiosk devices with Microsoft Intune in single and multiple app scenarios. This includes the new Kiosk Browser available from the Microsoft Store. Kiosk Browser is great for delivering a reliable and custom-tailored browsing experience for scenarios such as retail and signage. A summary of new features is below. + +- Using Intune, you can deploy the Kiosk Browser from the Microsoft Store, configure start URL, allowed URLs, and enable/disable navigation buttons. +- Using Intune, you can deploy and configure shared devices and kiosks using assigned access to create a curated experience with the correct apps and configuration policies +- Support for multiple screens for digital signage use cases. +- The ability to ensure all MDM configurations are enforced on the device prior to entering assigned access using the Enrollment Status page. +- The ability to configure and run Shell Launcher in addition to existing UWP Store apps. +- A simplified process for creating and configuring an auto-logon kiosk account so that a public kiosk automatically enters a desired state after a reboot, a critical security requirement for public-facing use cases. +- For multi-user Firstline Worker kiosk devices, instead of specifying every user, it’s now possible to assign different assigned access configurations to Azure AD groups or Active Directory groups. +- To help with troubleshooting, you can now view error reports generated if an assigned access-configured app has issues. + +For more information, see: +- [Making IT simpler with a modern workplace](https://www.microsoft.com/en-us/microsoft-365/blog/2018/04/27/making-it-simpler-with-a-modern-workplace/) +- [Simplifying kiosk management for IT with Windows 10](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Simplifying-kiosk-management-for-IT-with-Windows-10/ba-p/187691) + +### Co-management + +Intune and System Center Configuration Manager policies have been added to enable hyrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the [MDMWinsOverGP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy, to enable easier transition to cloud-based management. + +For more information, see [What's New in MDM enrollment and management](https://docs.microsoft.com/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1803) + +### OS uninstall period + +The OS uninstall period is a length of time that users are given when they can optionally roll back a Windows 10 update. With this release, administrators can use Intune or [DISM](#dism) to customize the length of the OS uninstall period. + +### Windows Configuration Designer + +Previously known as *Windows Imaging and Configuration Designer (ICD)*, the tool for creating provisioning packages is renamed **Windows Configuration Designer**. The new Windows Configuration Designer is available in [Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22) as an app. To run Windows Configuration Designer on earlier versions of Windows, you can still install Windows Configuration Designer from the [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). + +Windows Configuration Designer in Windows 10 Enterprise 2019 LTSC includes several new wizards to make it easier to create provisioning packages. + +![wizards for desktop, mobile, kiosk, Surface Hub](../images/wcd-options.png) + +Both the desktop and kiosk wizards include an option to remove pre-installed software, based on the new [CleanPC configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/cleanpc-csp). + +![remove pre-installed software option](../images/wcd-cleanpc.png) + +[Learn more about Windows Configuration Designer.](/windows/configuration/provisioning-packages/provisioning-packages) + +### Azure Active Directory join in bulk + +Using the new wizards in Windows Configuration Designer, you can [create provisioning packages to enroll devices in Azure Active Directory](/windows/configuration/provisioning-packages/provisioning-packages#configuration-designer-wizards). Azure AD join in bulk is available in the desktop, mobile, kiosk, and Surface Hub wizards. + +![get bulk token action in wizard](../images/bulk-token.png) + +### Windows Spotlight + +The following new Group Policy and mobile device management (MDM) settings are added to help you configure Windows Spotlight user experiences: + +- **Turn off the Windows Spotlight on Action Center** +- **Do not use diagnostic data for tailored experiences** +- **Turn off the Windows Welcome Experience** + +[Learn more about Windows Spotlight.](/windows/configuration/windows-spotlight) + +### Start and taskbar layout + +Previously, the customized taskbar could only be deployed using Group Policy or provisioning packages. Windows 10 Enterprise 2019 LTSC adds support for customized taskbars to [MDM](/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management). + +[Additional MDM policy settings are available for Start and taskbar layout](/windows/configuration/windows-10-start-layout-options-and-policies). New MDM policy settings include: + +- Settings for the User tile: [**Start/HideUserTile**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideusertile), [**Start/HideSwitchAccount**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideswitchaccount), [**Start/HideSignOut**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidesignout), [**Start/HideLock**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidelock), and [**Start/HideChangeAccountSettings**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidechangeaccountsettings) +- Settings for Power: [**Start/HidePowerButton**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidepowerbutton), [**Start/HideHibernate**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidehibernate), [**Start/HideRestart**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderestart), [**Start/HideShutDown**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideshutdown), and [**Start/HideSleep**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidesleep) +- Additional new settings: [**Start/HideFrequentlyUsedApps**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidefrequentlyusedapps), [**Start/HideRecentlyAddedApps**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentlyaddedapps), **AllowPinnedFolder**, **ImportEdgeAssets**, [**Start/HideRecentJumplists**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentjumplists), [**Start/NoPinningToTaskbar**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-nopinningtotaskbar), [**Settings/PageVisibilityList**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#settings-pagevisibilitylist), and [**Start/HideAppsList**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideapplist). + + +### Cortana at work + +Cortana is Microsoft’s personal digital assistant, who helps busy people get things done, even while at work. Cortana has powerful configuration options, specifically optimized for your business. By signing in with an Azure Active Directory (Azure AD) account, your employees can give Cortana access to their enterprise/work identity, while getting all the functionality Cortana provides to them outside of work. + +Using Azure AD also means that you can remove an employee’s profile (for example, when an employee leaves your organization) while respecting Windows Information Protection (WIP) policies and ignoring enterprise content, such as emails, calendar items, and people lists that are marked as enterprise data. + +For more info about Cortana at work, see [Cortana integration in your business or enterprise](/windows/configuration/cortana-at-work/cortana-at-work-overview) + +## Microsoft Edge + +iOS and Android versions of Edge are now available. For more information, see [Microsoft Edge Tips](https://microsoftedgetips.microsoft.com/en-us?source=firstrunwip). + +Support in [Windows Defender Application Guard](#windows-defender-application-guard) is also improved. + +#### Microsoft Edge Group Policies + +We introduced new group policies and Modern Device Management settings to manage Microsoft Edge. The new policies include enabling and disabling full-screen mode, printing, favorites bar, and saving history; preventing certificate error overrides; configuring the Home button and startup options; setting the New Tab page and Home button URL, and managing extensions. Learn more about the [new Microsoft Edge policies](https://aka.ms/new-microsoft-edge-group-policies). + +## Windows Update + +### Windows Update for Business + +Windows Update for Business now provides greater control over updates, with the ability to pause and uninstall problematic updates using Intune. For more information, see [Manage software updates in Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure). + +The pause feature has been changed, and now requires a start date to set up. Users are now able to pause through **Settings > Update & security > Windows Update > Advanced options** in case a policy has not been configured. We have also increased the pause limit on quality updates to 35 days. You can find more information on pause in [Pause Feature Updates](/windows/deployment/update/waas-configure-wufb#pause-feature-updates) and [Pause Quality Updates](/windows/deployment/update/waas-configure-wufb#pause-quality-updates). + + +Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferal periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](/windows/deployment/update/waas-configure-wufb#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-quality-updates) for details. + +WUfB now has additional controls available to manage Windows Insider Program enrollment through policies. For more information, see [Manage Windows Insider Program flights](https://docs.microsoft.com/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-windows-insider-preview-builds). + +Windows Update for Business now provides greater control over updates, with the ability to pause and uninstall problematic updates using Intune. For more information, see [Manage software updates in Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure). + +The pause feature has been changed, and now requires a start date to set up. Users are now able to pause through **Settings > Update & security > Windows Update > Advanced options** in case a policy has not been configured. We have also increased the pause limit on quality updates to 35 days. You can find more information on pause in [Pause Feature Updates](/windows/deployment/update/waas-configure-wufb#pause-feature-updates) and [Pause Quality Updates](/windows/deployment/update/waas-configure-wufb#pause-quality-updates). + + +Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferal periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](/windows/deployment/update/waas-configure-wufb#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-quality-updates) for details. + +WUfB now has additional controls available to manage Windows Insider Program enrollment through policies. For more information, see [Manage Windows Insider Program flights](https://docs.microsoft.com/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-windows-insider-preview-builds). + +### Windows Insider for Business + +We recently added the option to download Windows 10 Insider Preview builds using your corporate credentials in Azure Active Directory (AAD). By enrolling devices in AAD, you increase the visibility of feedback submitted by users in your organization – especially on features that support your specific business needs. For details, see [Windows Insider Program for Business](/windows/deployment/update/waas-windows-insider-for-business). + +You can now register your Azure AD domains to the Windows Insider Program. For more information, see [Windows Insider Program for Business](https://docs.microsoft.com/windows/deployment/update/waas-windows-insider-for-business#getting-started-with-windows-insider-program-for-business). + + +### Optimize update delivery + +With changes delivered in Windows 10 Enterprise 2019 LTSC, [Express updates](/windows/deployment/update/waas-optimize-windows-10-updates#express-update-delivery) are now fully supported with System Center Configuration Manager, starting with version 1702 of Configuration Manager, as well as with other third-party updating and management products that [implement this new functionality](https://technet.microsoft.com/windows-server-docs/management/windows-server-update-services/deploy/express-update-delivery-isv-support). This is in addition to current Express support on Windows Update, Windows Update for Business and WSUS. + +>[!NOTE] +> The above changes can be made available to Windows 10, version 1607, by installing the April 2017 cumulative update. + +Delivery Optimization policies now enable you to configure additional restrictions to have more control in various scenarios. + +Added policies include: +- [Allow uploads while the device is on battery while under set Battery level](/windows/deployment/update/waas-delivery-optimization#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) +- [Enable Peer Caching while the device connects via VPN](/windows/deployment/update/waas-delivery-optimization#enable-peer-caching-while-the-device-connects-via-vpn) +- [Minimum RAM (inclusive) allowed to use Peer Caching](/windows/deployment/update/waas-delivery-optimization#minimum-ram-allowed-to-use-peer-caching) +- [Minimum disk size allowed to use Peer Caching](/windows/deployment/update/waas-delivery-optimization#minimum-disk-size-allowed-to-use-peer-caching) +- [Minimum Peer Caching Content File Size](/windows/deployment/update/waas-delivery-optimization#minimum-peer-caching-content-file-size) + +To check out all the details, see [Configure Delivery Optimization for Windows 10 updates](/windows/deployment/update/waas-delivery-optimization) + +### Uninstalled in-box apps no longer automatically reinstall + +Starting with Windows 10 Enterprise 2019 LTSC, in-box apps that were uninstalled by the user won't automatically reinstall as part of the feature update installation process. + +Additionally, apps de-provisioned by admins on Windows 10 Enterprise 2019 LTSC machines will stay de-provisioned after future feature update installations. This will not apply to the update from Windows 10 Enterprise 2016 LTSC (or earlier) to Windows 10 Enterprise 2019 LTSC. + +## Management + +### New MDM capabilities + +Windows 10 Enterprise 2019 LTSC adds many new [configuration service providers (CSPs)](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) that provide new capabilities for managing Windows 10 devices using MDM or provisioning packages. Among other things, these CSPs enable you to configure a few hundred of the most useful Group Policy settings via MDM - see [Policy CSP - ADMX-backed policies](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-admx-backed). + +Some of the other new CSPs are: + +- The [DynamicManagement CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/dynamicmanagement-csp) allows you to manage devices differently depending on location, network, or time. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country to avoid roaming charges, or the wireless network can be disabled when the device is not within the corporate building or campus. Once configured, these settings will be enforced even if the device can’t reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs. + +- The [CleanPC CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/cleanpc-csp) allows removal of user-installed and pre-installed applications, with the option to persist user data. + +- The [BitLocker CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/bitlocker-csp) is used to manage encryption of PCs and devices. For example, you can require storage card encryption on mobile devices, or require encryption for operating system drives. + +- The [NetworkProxy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkproxy-csp) is used to configure a proxy server for ethernet and Wi-Fi connections. + +- The [Office CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/office-csp) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool. For more information, see [Configuration options for the Office Deployment Tool](https://technet.microsoft.com/library/jj219426.aspx). + +- The [EnterpriseAppVManagement CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterpriseappvmanagement-csp) is used to manage virtual applications in Windows 10 PCs (Enterprise and Education editions) and enables App-V sequenced apps to be streamed to PCs even when managed by MDM. + +IT pros can use the new [MDM Migration Analysis Tool (MMAT)](https://aka.ms/mmat) to determine which Group Policy settings have been configured for a user or computer and cross-reference those settings against a built-in list of supported MDM policies. MMAT can generate both XML and HTML reports indicating the level of support for each Group Policy setting and MDM equivalents. + +[Learn more about new MDM capabilities.](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/new-in-windows-mdm-enrollment-management#whatsnew10) + +MDM has been expanded to include domain joined devices with Azure Active Directory registration. Group Policy can be used with Active Directory joined devices to trigger auto-enrollment to MDM. For more information, see [Enroll a Windows 10 device automatically using Group Policy](https://docs.microsoft.com/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy). + +Multiple new configuration items are also added. For more information, see [What's new in MDM enrollment and management](https://docs.microsoft.com/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1709). + +### Mobile application management support for Windows 10 + +The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices. MAM support is built into Windows on top of Windows Information Protection (WIP), starting in Windows 10 Enterprise 2019 LTSC. + +For more info, see [Implement server-side support for mobile application management on Windows](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/implement-server-side-mobile-application-management). + +### MDM diagnostics + +In Windows 10 Enterprise 2019 LTSC, we continue our work to improve the diagnostic experience for modern management. By introducing auto-logging for mobile devices, Windows will automatically collect logs when encountering an error in MDM, eliminating the need to have always-on logging for memory-constrained devices. Additionally, we are introducing [Microsoft Message Analyzer](https://www.microsoft.com/download/details.aspx?id=44226) as an additional tool to help Support personnel quickly reduce issues to their root cause, while saving time and cost. + +### Application Virtualization for Windows (App-V) + +Previous versions of the Microsoft Application Virtualization Sequencer (App-V Sequencer) have required you to manually create your sequencing environment. Windows 10 Enterprise 2019 LTSC introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing environment for you, including provisioning your virtual machine. Additionally, the App-V Sequencer has been updated to let you sequence or update multiple apps at the same time, while automatically capturing and storing your customizations as an App-V project template (.appvt) file, and letting you use PowerShell or Group Policy settings to automatically cleanup your unpublished packages after a device restart. + +For more info, see the following topics: +- [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-provision-a-vm) +- [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-batch-sequencing) +- [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-batch-updating) +- [Automatically cleanup unpublished packages on the App-V client](/windows/application-management/app-v/appv-auto-clean-unpublished-packages) + +### Windows diagnostic data + +Learn more about the diagnostic data that's collected at the Basic level and some examples of the types of data that is collected at the Full level. + +- [Windows 10, version 1703 basic level Windows diagnostic events and fields](/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703) +- [Windows 10, version 1703 Diagnostic Data](/windows/configuration/windows-diagnostic-data-1703) + +### Group Policy spreadsheet + +Learn about the new Group Policies that were added in Windows 10 Enterprise 2019 LTSC. + +- [Group Policy Settings Reference for Windows and Windows Server](https://www.microsoft.com/download/details.aspx?id=25250) + +### Mixed Reality Apps + +This version of Windows 10 introduces [Windows Mixed Reality](https://blogs.windows.com/windowsexperience/2017/10/03/the-era-of-windows-mixed-reality-begins-october-17/). Organizations that use WSUS must take action to enable Windows Mixed Reality. You can also prohibit use of Windows Mixed Reality by blocking installation of the Mixed Reality Portal. For more information, see [Enable or block Windows Mixed Reality apps in the enterprise](https://docs.microsoft.com/windows/application-management/manage-windows-mixed-reality). + +## Networking + +### Network stack + +Several network stack enhancements are available in this release. Some of these features were also available in Windows 10, version 1703. For more information, see [Core Network Stack Features in the Creators Update for Windows 10](https://blogs.technet.microsoft.com/networking/2017/07/13/core-network-stack-features-in-the-creators-update-for-windows-10/). + +### Miracast over Infrastructure + +In this version of Windows 10, Microsoft has extended the ability to send a Miracast stream over a local network rather than over a direct wireless link. This functionality is based on the [Miracast over Infrastructure Connection Establishment Protocol (MS-MICE)](https://msdn.microsoft.com/library/mt796768.aspx). + +How it works: + +Users attempt to connect to a Miracast receiver as they did previously. When the list of Miracast receivers is populated, Windows 10 will identify that the receiver is capable of supporting a connection over the infrastructure. When the user selects a Miracast receiver, Windows 10 will attempt to resolve the device's hostname via standard DNS, as well as via multicast DNS (mDNS). If the name is not resolvable via either DNS method, Windows 10 will fall back to establishing the Miracast session using the standard Wi-Fi direct connection. + +Miracast over Infrastructure offers a number of benefits: + +- Windows automatically detects when sending the video stream over this path is applicable. +- Windows will only choose this route if the connection is over Ethernet or a secure Wi-Fi network. +- Users do not have to change how they connect to a Miracast receiver. They use the same UX as for standard Miracast connections. +- No changes to current wireless drivers or PC hardware are required. +- It works well with older wireless hardware that is not optimized for Miracast over Wi-Fi Direct. +- It leverages an existing connection which both reduces the time to connect and provides a very stable stream. + +Enabling Miracast over Infrastructure: + +If you have a device that has been updated to Windows 10 Enterprise 2019 LTSC, then you automatically have this new feature. To take advantage of it in your environment, you need to ensure the following is true within your deployment: + +- The device (PC, phone, or Surface Hub) needs to be running Windows 10, version 1703, Windows 10 Enterprise 2019 LTSC, or a later OS. +- A Windows PC or Surface Hub can act as a Miracast over Infrastructure *receiver*. A Windows PC or phone can act as a Miracast over Infrastructure *source*. + - As a Miracast receiver, the PC or Surface Hub must be connected to your enterprise network via either Ethernet or a secure Wi-Fi connection (e.g. using either WPA2-PSK or WPA2-Enterprise security). If the Hub is connected to an open Wi-Fi connection, Miracast over Infrastructure will disable itself. + - As a Miracast source, the PC or phone must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection. +- The DNS Hostname (device name) of the device needs to be resolvable via your DNS servers. You can achieve this by either allowing your device to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the device's hostname. +- Windows 10 PCs must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection. + +It is important to note that Miracast over Infrastructure is not a replacement for standard Miracast. Instead, the functionality is complementary, and provides an advantage to users who are part of the enterprise network. Users who are guests to a particular location and don’t have access to the enterprise network will continue to connect using the Wi-Fi Direct connection method. + +## Registry editor improvements + +We added a dropdown that displays as you type to help complete the next part of the path. You can also press **Ctrl + Backspace** to delete the last word, and **Ctrl + Delete** to delete the next word. + +![Registry editor dropdown](../images/regeditor.png "Registry editor dropdown") + +## Remote Desktop with Biometrics + +Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session. + +To get started, sign into your device using Windows Hello for Business. Bring up **Remote Desktop Connection** (mstsc.exe), type the name of the computer you want to connect to, and click **Connect**. + +- Windows remembers that you signed using Windows Hello for Business, and automatically selects Windows Hello for Business to authenticate you to your RDP session. You can also click **More choices** to choose alternate credentials. +- Windows uses facial recognition to authenticate the RDP session to the Windows Server 2016 Hyper-V server. You can continue to use Windows Hello for Business in the remote session, but you must use your PIN. + +See the following example: + +![Enter your credentials](../images/RDPwBioTime.png "Windows Hello") +![Enter your credentials](../images/RDPwBio2.png "Windows Hello personal") +![Microsoft Hyper-V Server 2016](../images/hyper-v.png "Microsoft Hyper-V Server 2016") + +## See Also + +[Windows 10 Enterprise LTSC](index.md): A short description of the LTSC servicing channel with links to information about each release. \ No newline at end of file diff --git a/windows/whats-new/whats-new-windows-10-version-1809.md b/windows/whats-new/whats-new-windows-10-version-1809.md index 64fcbb7821..04956b3138 100644 --- a/windows/whats-new/whats-new-windows-10-version-1809.md +++ b/windows/whats-new/whats-new-windows-10-version-1809.md @@ -5,8 +5,7 @@ keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 October 2018 Up ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dawnwood -ms.date: 10/02/2018 +author: greg-lindsay ms.localizationpriority: high --- @@ -20,32 +19,11 @@ The following 3-minute video summarizes some of the new features that are availa   - - - > [!video https://www.youtube.com/embed/hAva4B-wsVA] -## Your Phone app +## Deployment -Android phone users, you can finally stop emailing yourself photos. With Your Phone you get instant access to your Android’s most recent photos on your PC. Drag and drop a photo from your phone onto your PC, then you can copy, edit, or ink on the photo. Try it out by opening the **Your Phone** app. You’ll receive a text with a link to download an app from Microsoft to your phone. Android 7.0+ devices with ethernet or Wi-Fi on unmetered networks are compatible with the **Your Phone** app. For PCs tied to the China region, **Your Phone** app services will be enabled in the future. - -For iPhone users, **Your Phone** app also helps you to link your phone to your PC. Surf the web on your phone, then send the webpage instantly to your computer to continue what you’re doing–-read, watch, or browse-- with all the benefits of a bigger screen. - -![your phone](images/your-phone.png "your phone") - -The desktop pin takes you directly to the **Your Phone** app for quicker access to your phone’s content. You can also go through the all apps list in Start, or use the Windows key and search for **Your Phone**. - -## Wireless projection experience - -One of the things we’ve heard from you is that it’s hard to know when you’re wirelessly projecting and how to disconnect your session when started from file explorer or from an app. In Windows 10, version 1809, you’ll see a control banner at the top of your screen when you’re in a session (just like you see when using remote desktop). The banner keeps you informed of the state of your connection, allows you to quickly disconnect or reconnect to the same sink, and allows you to tune the connection based on what you are doing. This tuning is done via **Settings**, which optimizes the screen-to-screen latency based on one of the three modes: - -* Game mode minimizes the screen-to-screen latency to make gaming over a wireless connection possible -* Video mode increases the screen-to-screen latency to ensure the video on the big screen plays back smoothly -* Productivity modes strikes a balance between game mode and video mode; the screen-to screen-latency is responsive enough that typing feels natural, while ensuring videos don’t glitch as often. - -![wireless projection banner](images/beaming.png "wireless projection banner") - -## Windows Autopilot self-deploying mode +### Windows Autopilot self-deploying mode Windows Autopilot self-deploying mode enables a zero touch device provisioning experience. Simply power on the device, plug it into the Ethernet, and the device is fully configured automatically by Windows Autopilot. @@ -55,64 +33,15 @@ You can utilize Windows Autopilot self-deploying mode to register the device to To learn more about Autopilot self-deploying mode and to see step-by-step instructions to perform such a deployment, [Windows Autopilot self-deploying mode](https://docs.microsoft.com/windows/deployment/windows-autopilot/self-deploying). -## Kiosk setup experience +### SetupDiag -We introduced a simplified assigned access configuration experience in **Settings** that allows device administrators to easily set up a PC as a kiosk or digital sign. A wizard experience walks you through kiosk setup including creating a kiosk account that will automatically sign in when a device starts. +[SetupDiag](/windows/deployment/upgrade/setupdiag.md) version 1.4 is released. SetupDiag is a standalone diagnostic tool that can be used to troubleshoot issues when a Windows 10 upgrade is unsuccessful. -To use this feature, go to **Settings**, search for **assigned access**, and open the **Set up a kiosk** page. - -![set up a kiosk](images/kiosk-mode.png "set up a kiosk") - -Microsoft Edge kiosk mode running in single-app assigned access has two kiosk types. - -1.__Digital / Interactive signage__ that displays a specific website full-screen and runs InPrivate mode. -2.__Public browsing__ supports multi-tab browsing and runs InPrivate mode with minimal features available. Users cannot minimize, close, or open new Microsoft Edge windows or customize them using Microsoft Edge Settings. Users can clear browsing data and downloads, and restart Microsoft Edge by clicking **End session**. Administrators can configure Microsoft Edge to restart after a period of inactivity. - -![single app assigned access](images/SingleApp_contosoHotel_inFrame@2x.png "single app assigned access") - -Microsoft Edge kiosk mode running in multi-app assigned access has two kiosk types. - ->[!NOTE] ->The following Microsoft Edge kiosk mode types cannot be setup using the new simplified assigned access configuration wizard in Windows 10 Settings. - -1.__Public browsing__ supports multi-tab browsing and runs InPrivate mode with minimal features available. In this configuration, Microsoft Edge can be one of many apps available. Users can close and open multiple InPrivate mode windows. - -![multi-app assigned access](images/Multi-app_kiosk_inFrame.png "multi-app assigned access") - -2.__Normal mode__ runs a full version of Microsoft Edge, although some features may not work depending on what apps are configured in assigned access. For example, if the Microsoft Store is not set up, users cannot get books. - -![normal mode](images/Normal_inFrame.png "normal mode") - -Learn more about [Microsoft Edge kiosk mode](https://docs.microsoft.com/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy). - -## Registry editor improvements - -We added a dropdown that displays as you type to help complete the next part of the path. You can also press **Ctrl + Backspace** to delete the last word, and **Ctrl + Delete** to delete the next word. - -![Registry editor dropdown](images/regeditor.png "Registry editor dropdown") - -## Remote Desktop with Biometrics - -Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session. - -![Enter your credentials](images/RDPwBioTime.png "Windows Hello") - -To get started, sign into your device using Windows Hello for Business. Bring up **Remote Desktop Connection** (mstsc.exe), type the name of the computer you want to connect to, and click __Connect__. - -Windows remembers that you signed using Windows Hello for Business, and automatically selects Windows Hello for Business to authenticate you to your RDP session. You can also click __More choices__ to choose alternate credentials. - -![Enter your credentials](images/RDPwBio2.png "Windows Hello personal") - -In this example, Windows uses facial recognition to authenticate the RDP session to the Windows Server 2016 Hyper-V server. You can continue to use Windows Hello for Business in the remote session, but you must use your PIN. - -![Microsoft Hyper-V Server 2016](images/hyper-v.png "Microsoft Hyper-V Server 2016") - -## Security Improvements +## Security We’ve continued to work on the **Current threats** area in [Virus & threat protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection), which now displays all threats that need action. You can quickly take action on threats from this screen: -![Virus & threat protection settings](images/virus-and-threat-protection.png "Virus & threat protection settings") - + ![Virus & threat protection settings](images/virus-and-threat-protection.png "Virus & threat protection settings") With controlled folder access you can help prevent ransomware and other destructive malware from changing your personal files. In some cases, apps that you normally use might be blocked from making changes to common folders like **Documents** and **Pictures**. We’ve made it easier for you to add apps that were recently blocked so you can keep using your device without turning off the feature altogether. @@ -124,8 +53,6 @@ We’re continuing to work on how other security apps you’ve installed show up This also means you’ll see more links to other security apps within **Windows Security**. For example, if you open the **Firewall & network protection** section, you’ll see the firewall apps that are running on your device under each firewall type, which includes domain, private, and public networks). -
    HKLM\SOFTWARE\Microsoft\Security Center\Feature DisableAvCheck (DWORD) = 1
    - ### BitLocker #### Silent enforcement on fixed drives @@ -146,16 +73,20 @@ For example, you can choose the XTS-AES 256 encryption algorithm, and have it ap Windows Defender Application Guard (WDAG) introduced a new user interface inside **Windows Security** in this release. Standalone users can now install and configure their Windows Defender Application Guard settings in Windows Security without needing to change registry key settings. -Additionally, users who are managed by enterprise policies will be able to check their settings to see what their administrators have configured for their machines to better understand the behavior of Windows Defender Application Guard. This new UI improves the overall experience for users while managing and checking their Windows Defender Application Guard settings. As long as devices meet the minimum requirements, these settings will appear in Windows Security. For detailed information, click [here](https://techcommunity.microsoft.com/t5/Windows-Insider-Program/test/m-p/214102#M1709). +Additionally, users who are managed by enterprise policies will be able to check their settings to see what their administrators have configured for their machines to better understand the behavior of Windows Defender Application Guard. This new UI improves the overall experience for users while managing and checking their Windows Defender Application Guard settings. As long as devices meet the minimum requirements, these settings will appear in Windows Security. For more information, see [Windows Defender Application Guard inside Windows Security App](https://techcommunity.microsoft.com/t5/Windows-Insider-Program/test/m-p/214102#M1709). + +To try this: -To try this, 1. Go to**Windows Security** and select **App & browser control**. -![Security at a glance](images/1_AppBrowser.png "app and browser control") 2. Under **Isolated browsing**, select **Install Windows Defender Application Guard**, then install and restart the device. -![Isolated browser](images/2_InstallWDAG.png "isolated browsing") 3. Select **Change Application Guard** settings. -![change WDAG settings](images/3_ChangeSettings.png "change settings") 4. Configure or check Application Guard settings. + +See the following example: + +![Security at a glance](images/1_AppBrowser.png "app and browser control") +![Isolated browser](images/2_InstallWDAG.png "isolated browsing") +![change WDAG settings](images/3_ChangeSettings.png "change settings") ![view WDAG settings](images/4_ViewSettings.jpg "view settings") ### Windows Security Center @@ -215,6 +146,42 @@ Windows Defender ATP now adds support for Windows Server 2019. You'll be able to - [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection)
    Onboard supported versions of Windows machines so that they can send sensor data to the Windows Defender ATP sensor +## Kiosk setup experience + +We introduced a simplified assigned access configuration experience in **Settings** that allows device administrators to easily set up a PC as a kiosk or digital sign. A wizard experience walks you through kiosk setup including creating a kiosk account that will automatically sign in when a device starts. + +To use this feature, go to **Settings**, search for **assigned access**, and open the **Set up a kiosk** page. + +![set up a kiosk](images/kiosk-mode.png "set up a kiosk") + +Microsoft Edge kiosk mode running in single-app assigned access has two kiosk types. + +1. **Digital / Interactive signage** that displays a specific website full-screen and runs InPrivate mode. +2. **Public browsing** supports multi-tab browsing and runs InPrivate mode with minimal features available. Users cannot minimize, close, or open new Microsoft Edge windows or customize them using Microsoft Edge Settings. Users can clear browsing data and downloads, and restart Microsoft Edge by clicking **End session**. Administrators can configure Microsoft Edge to restart after a period of inactivity. + +![single app assigned access](images/SingleApp_contosoHotel_inFrame@2x.png "single app assigned access") + +Microsoft Edge kiosk mode running in multi-app assigned access has two kiosk types. + +>[!NOTE] +>The following Microsoft Edge kiosk mode types cannot be setup using the new simplified assigned access configuration wizard in Windows 10 Settings. + +**Public browsing** supports multi-tab browsing and runs InPrivate mode with minimal features available. In this configuration, Microsoft Edge can be one of many apps available. Users can close and open multiple InPrivate mode windows. + +![multi-app assigned access](images/Multi-app_kiosk_inFrame.png "multi-app assigned access") + +**Normal mode** runs a full version of Microsoft Edge, although some features may not work depending on what apps are configured in assigned access. For example, if the Microsoft Store is not set up, users cannot get books. + +![normal mode](images/Normal_inFrame.png "normal mode") + +Learn more about [Microsoft Edge kiosk mode](https://docs.microsoft.com/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy). + +## Registry editor improvements + +We added a dropdown that displays as you type to help complete the next part of the path. You can also press **Ctrl + Backspace** to delete the last word, and **Ctrl + Delete** to delete the next word. + +![Registry editor dropdown](images/regeditor.png "Registry editor dropdown") + ## Faster sign-in to a Windows 10 shared pc Do you have shared devices deployed in your work place? **Fast sign-in** enables users to sign in to a shared Windows 10 PC in a flash! @@ -224,7 +191,7 @@ Do you have shared devices deployed in your work place? **Fast sign-in** enables 2. Set the Policy CSP, and the Authentication and EnableFastFirstSignIn policies to enable fast sign-in. 3. Sign-in to a shared PC with your account. You'll notice the difference! -![fast sign-in](images/fastsignin.png "fast sign-in") + ![fast sign-in](images/fastsignin.png "fast sign-in") ## Web sign-in to Windows 10 @@ -236,4 +203,36 @@ Until now, Windows logon only supported the use of identities federated to ADFS 3. On the lock screen, select web sign-in under sign-in options. 4. Click the “Sign in” button to continue. -![Web sign-in](images/websignin.png "web sign-in") + ![Web sign-in](images/websignin.png "web sign-in") + +## Your Phone app + +Android phone users, you can finally stop emailing yourself photos. With Your Phone you get instant access to your Android’s most recent photos on your PC. Drag and drop a photo from your phone onto your PC, then you can copy, edit, or ink on the photo. Try it out by opening the **Your Phone** app. You’ll receive a text with a link to download an app from Microsoft to your phone. Android 7.0+ devices with ethernet or Wi-Fi on unmetered networks are compatible with the **Your Phone** app. For PCs tied to the China region, **Your Phone** app services will be enabled in the future. + +For iPhone users, **Your Phone** app also helps you to link your phone to your PC. Surf the web on your phone, then send the webpage instantly to your computer to continue what you’re doing–-read, watch, or browse-- with all the benefits of a bigger screen. + +![your phone](images/your-phone.png "your phone") + +The desktop pin takes you directly to the **Your Phone** app for quicker access to your phone’s content. You can also go through the all apps list in Start, or use the Windows key and search for **Your Phone**. + +## Wireless projection experience + +One of the things we’ve heard from you is that it’s hard to know when you’re wirelessly projecting and how to disconnect your session when started from file explorer or from an app. In Windows 10, version 1809, you’ll see a control banner at the top of your screen when you’re in a session (just like you see when using remote desktop). The banner keeps you informed of the state of your connection, allows you to quickly disconnect or reconnect to the same sink, and allows you to tune the connection based on what you are doing. This tuning is done via **Settings**, which optimizes the screen-to-screen latency based on one of the three modes: + +* Game mode minimizes the screen-to-screen latency to make gaming over a wireless connection possible +* Video mode increases the screen-to-screen latency to ensure the video on the big screen plays back smoothly +* Productivity modes strikes a balance between game mode and video mode; the screen-to screen-latency is responsive enough that typing feels natural, while ensuring videos don’t glitch as often. + +![wireless projection banner](images/beaming.png "wireless projection banner") + +## Remote Desktop with Biometrics + +Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session. + +To get started, sign into your device using Windows Hello for Business. Bring up **Remote Desktop Connection** (mstsc.exe), type the name of the computer you want to connect to, and click **Connect**. Windows remembers that you signed using Windows Hello for Business, and automatically selects Windows Hello for Business to authenticate you to your RDP session. You can also click **More choices** to choose alternate credentials. Windows uses facial recognition to authenticate the RDP session to the Windows Server 2016 Hyper-V server. You can continue to use Windows Hello for Business in the remote session, but you must use your PIN. + +See the following example: + +![Enter your credentials](images/RDPwBioTime.png "Windows Hello") +![Enter your credentials](images/RDPwBio2.png "Windows Hello personal") +![Microsoft Hyper-V Server 2016](images/hyper-v.png "Microsoft Hyper-V Server 2016") \ No newline at end of file